CVE-2026-58499

HIGHPre-NVD 8.28.2
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 8.2 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.4%, top 72% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, secondary
Trending — 3 sources updated this week
8.2
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.2Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message sender_id field was not validated as a path-safe identifier, unlike app_id and project_id. During user-memory extraction, sender_id is used as owner_id and joined into the filesystem path where the extracted episode is persisted as a Markdown file, so a sender_id containing ../ sequences could direct writes outside the configured memory root and allow an unauthenticated caller to create or overwrite .md files at locations writable by the server process with partially attacker-influenced content. This issue is fixed in version 1.0.1.

CVSS v3
8.2
EG Score
8.2(medium)
EPSS
27.8%
KEV
Not listed

Published

July 10, 2026

Last Modified

July 13, 2026

Advisory Details (3)

Auto-updated Jul 10, 2026
Patch available. Sources: github, github_commit, github_release.
github Patch Available

Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id · Advisory · EverMind-AI/EverOS · GitHub

Affected: v1.0.1 with (1) path-safe validation on sender_id (character whitelist plus rejec

https://github.com/EverMind-AI/EverOS/security/advisories/GHSA-c795-2g9c-j48m
github_release Patch Available

EverOS 1.0.1

Patch available: EverMind-AI/EverOS v1.0.1

https://github.com/EverMind-AI/EverOS/releases/tag/v1.0.1
github_commit Patch Available

commit a10cdcd19774 (EverMind-AI/EverOS)

Patch available: EverMind-AI/EverOS v1.0.1 (contains commit a10cdcd19774)

https://github.com/EverMind-AI/EverOS/commit/a10cdcd197747f371b7879a32c2cc3f77471e9c2

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
everos0.0.2 ... 1.0.0 (6 versions)1.0.1

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 19× in last 7d / 19× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 19:49 UTCEG score recompute
  2. 2026-07-15 16:57 UTCEPSS rescore
  3. 2026-07-15 16:57 UTCEPSS rescore
  4. 2026-07-15 06:37 UTCEG score recompute
  5. 2026-07-15 02:00 UTCEPSS rescore
  6. 2026-07-15 02:00 UTCEPSS rescore
  7. 2026-07-14 17:25 UTCEG score recompute
  8. 2026-07-14 04:14 UTCEG score recompute
  9. 2026-07-13 22:31 UTCEPSS rescore
  10. 2026-07-13 15:02 UTCEG score recompute
  11. 2026-07-13 06:13 UTCEPSS rescore
  12. 2026-07-13 06:13 UTCEPSS rescore
  13. 2026-07-13 01:49 UTCEG score recompute
  14. 2026-07-12 12:37 UTCEG score recompute
  15. 2026-07-12 05:46 UTCEPSS rescore
  16. 2026-07-11 23:26 UTCEG score recompute
  17. 2026-07-11 10:15 UTCEG score recompute
  18. 2026-07-10 21:03 UTCEG score recompute
  19. 2026-07-10 21:02 UTCMITRE cvelistV5first tracked

Frequently asked(5)

What is CVE-2026-58499?
CVE-2026-58499 is a high vulnerability published on July 10, 2026. EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message senderid field was not validated as a path-safe identifier, unlike appid and projectid. During user-memory extraction, senderid is…
When was CVE-2026-58499 disclosed?
CVE-2026-58499 was first published in the National Vulnerability Database on July 10, 2026, with the most recent update on July 13, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-58499 actively exploited?
CVE-2026-58499 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 27.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-58499?
CVE-2026-58499 has a CVSS v3 base score of 8.2 (NVD).
How do I remediate CVE-2026-58499?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-58499, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-58499

Explore →

Is Your Infrastructure Affected by CVE-2026-58499?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.