Suggestions search

All statuses

Filter by:

With package: revolver

Found 3 matching suggestions

View:

Compact

Detailed

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42076

9.8 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created suggestion 3 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks, 6 days ago

Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

References

https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53 x_refsource_CONFIRM
https://github.com/EvoMap/evolver/releases/tag/v1.69.3 x_refsource_MISC

Affected products

evolver

==< 1.69.3

Matching in nixpkgs

pkgs.revolver

Progress spinner for ZSH scripts

nixos-unstable 0.2.4-unstable-2020-09-30
- nixpkgs-unstable 0.2.4-unstable-2020-09-30
- nixos-unstable-small 0.2.4-unstable-2020-09-30
nixos-25.11 0.2.4-unstable-2020-09-30
- nixos-25.11-small 0.2.4-unstable-2020-09-30
- nixpkgs-25.11-darwin 0.2.4-unstable-2020-09-30

Package maintainers

@d-brasher D. Brasher

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42075

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created suggestion 3 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks, 6 days ago

Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.

References

https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j x_refsource_CONFIRMexploit
https://github.com/EvoMap/evolver/releases/tag/v1.69.3 x_refsource_MISC

Affected products

evolver

==< 1.69.3

Matching in nixpkgs

pkgs.revolver

Progress spinner for ZSH scripts

nixos-unstable 0.2.4-unstable-2020-09-30
- nixpkgs-unstable 0.2.4-unstable-2020-09-30
- nixos-unstable-small 0.2.4-unstable-2020-09-30
nixos-25.11 0.2.4-unstable-2020-09-30
- nixos-25.11-small 0.2.4-unstable-2020-09-30
- nixpkgs-25.11-darwin 0.2.4-unstable-2020-09-30

Package maintainers

@d-brasher D. Brasher

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42077

5.2 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): High (H)

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created suggestion 3 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks, 6 days ago

Evolver: Prototype Pollution via `Object.assign()` in mailbox store operations

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.

References

https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4 x_refsource_CONFIRM
https://github.com/EvoMap/evolver/releases/tag/v1.69.3 x_refsource_MISC

Affected products

evolver

==< 1.69.3

Matching in nixpkgs

pkgs.revolver

Progress spinner for ZSH scripts

nixos-unstable 0.2.4-unstable-2020-09-30
- nixpkgs-unstable 0.2.4-unstable-2020-09-30
- nixos-unstable-small 0.2.4-unstable-2020-09-30
nixos-25.11 0.2.4-unstable-2020-09-30
- nixos-25.11-small 0.2.4-unstable-2020-09-30
- nixpkgs-25.11-darwin 0.2.4-unstable-2020-09-30

Package maintainers

@d-brasher D. Brasher