Is @evomap/evolver affected by CVE-2026-42075?

npm @evomap/evolver is affected in <1.69.3.

Is CVE-2026-42075 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

high

CVE-2026-42075

Q: Is CVE-2026-42075 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

npm · @evomap/evolver

Summary

Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

Severity: high
EPSS: 0.6% (p42)
Also known as: GHSA-r466-rxw4-3j9j
Published: 2026-04-22

References

https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j
https://nvd.nist.gov/vuln/detail/CVE-2026-42075
https://github.com/EvoMap/evolver

Related advisories

CVE-2026-42076 — critical · npm/@evomap/evolver
GHSA-jxh8-jh77-xh6g — high · npm/@evomap/evolver
GHSA-cfcj-hqpf-hccf — high · npm/@evomap/evolver
GHSA-7xp7-m392-h92c — medium · npm/@evomap/evolver
CVE-2026-42077 — medium · npm/@evomap/evolver

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.