EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message sender_id field was not validated as a path-safe identifier, unlike app_id and project_id. During user-memory extraction, sender_id is used as owner_id and joined into the filesystem path where the extracted episode is persisted as a Markdown file, so a sender_id containing ../ sequences could direct writes outside the configured memory root and allow an unauthenticated caller to create or overwrite .md files at locations writable by the server process with partially attacker-influenced content. This issue is fixed in version 1.0.1.
CVE-2026-58499
This high-severity CVE scores 8.2 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.4%, top 72% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.2
- EG Score
- 8.2(medium)
- EPSS
- 27.8%
- KEV
- Not listed
Published
July 10, 2026
Last Modified
July 13, 2026
Advisory Details (3)
Auto-updated Jul 10, 2026Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id · Advisory · EverMind-AI/EverOS · GitHub
Affected: v1.0.1 with (1) path-safe validation on sender_id (character whitelist plus rejec
https://github.com/EverMind-AI/EverOS/security/advisories/GHSA-c795-2g9c-j48mEverOS 1.0.1
Patch available: EverMind-AI/EverOS v1.0.1
https://github.com/EverMind-AI/EverOS/releases/tag/v1.0.1commit a10cdcd19774 (EverMind-AI/EverOS)
Patch available: EverMind-AI/EverOS v1.0.1 (contains commit a10cdcd19774)
https://github.com/EverMind-AI/EverOS/commit/a10cdcd197747f371b7879a32c2cc3f77471e9c2Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| everos | 0.0.2 ... 1.0.0 (6 versions) | 1.0.1 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 19× in last 7d / 19× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-15 19:49 UTCEG score recompute
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 06:37 UTCEG score recompute
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-14 17:25 UTCEG score recompute
- 2026-07-14 04:14 UTCEG score recompute
- 2026-07-13 22:31 UTCEPSS rescore
- 2026-07-13 15:02 UTCEG score recompute
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 01:49 UTCEG score recompute
- 2026-07-12 12:37 UTCEG score recompute
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 23:26 UTCEG score recompute
- 2026-07-11 10:15 UTCEG score recompute
- 2026-07-10 21:03 UTCEG score recompute
- 2026-07-10 21:02 UTCMITRE cvelistV5first tracked
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-58499?
When was CVE-2026-58499 disclosed?
Is CVE-2026-58499 actively exploited?
What is the CVSS score of CVE-2026-58499?
How do I remediate CVE-2026-58499?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-58499
Is Your Infrastructure Affected by CVE-2026-58499?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.