Xeloxa

**Name of the Vulnerable Software and Affected Versions** github.com/gofiber/fiber/v3 versions prior to 3.1.0 **Description** The default key generator in the cache middleware uses only the request path via the `c.Path()` function and excludes the query string. Consequently, requests targeting the same path but containing different query parameters map to the same cache key. This leads to response mix-ups where a user may receive a cached response intended for a different request, potentially leaking or corrupting user or tenant-specific content for endpoints where the response depends on query parameters. **Recommendations** Update to version 3.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Evolver versions prior to 1.69.3 **Description** A path traversal issue exists in the skill download (fetch) command. The `--out=` flag accepts user-provided paths without proper validation, allowing attackers to write files to arbitrary locations on the filesystem. This can lead to the overwriting of critical system files or the creation of files in sensitive locations. **Recommendations** Update to version 1.69.3.

**Name of the Vulnerable Software and Affected Versions** Evolver versions prior to 1.69.3 **Description** A command injection issue exists in the ` extractLLM()` function. The function constructs a curl command using string concatenation and passes it to `execSync()` without proper sanitization. This allows attackers to execute arbitrary shell commands on the server when the `corpus` parameter contains shell metacharacters, leading to remote code execution. **Recommendations** Update to version 1.69.3. As a temporary workaround, restrict or sanitize the input provided to the `corpus` parameter used in the ` extractLLM()` function.

**Name of the Vulnerable Software and Affected Versions** Evolver versions prior to 1.69.3 **Description** A prototype pollution issue in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The flaw occurs within the ` applyUpdate()` and ` updateRecord()` functions, which utilize Object.assign() to merge user-controlled data without filtering dangerous keys such as ` proto `, `constructor`, or `prototype`. **Recommendations** Update to version 1.69.3.