Lucene search
K

4 matches found

CVE
CVE
added 4 days ago9 views

CVE-2026-58499

EverOS is affected by a path-traversal vulnerability in the POST /api/v1/memory/add ingestion endpoint prior to version 1.0.1. The per-message sender_id was not validated as a path-safe identifier, unlike app_id/project_id, and is used as owner_id to build the filesystem path for persisting extra...

8.2CVSS6.1AI score0.00356EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-58499 Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id

EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message senderid field was not validated as a path-safe identifier, unlike appid and projectid. During user-memory extraction, senderid i...

8.2CVSS0.00356EPSS
Exploits0References3
OSV
OSV
added 4 days ago2 views

CVE-2026-58499 Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id

EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message senderid field was not validated as a path-safe identifier, unlike appid and projectid. During user-memory extraction, senderid i...

8.2CVSS6.1AI score0.00356EPSS
Exploits0References5
OSV
OSV
added 2026/06/19 9:43 p.m.14 views

GHSA-C795-2G9C-J48M EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id

EverOS versions 1.0.0 and earlier are vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint. The per-message senderid field was not validated as a path-safe identifier unlike appid / projectid, which already enforced this. During user-memory extraction, senderid is used a...

8.2CVSS6AI score0.00356EPSS
Exploits0References3
Rows per page
Query Builder