Evomap

A path traversal vulnerability in `@evomap/evolver` allows a malicious A2A Hub to overwrite project files, leading to remote code execution when a user fetches a malicious skill.

A command injection vulnerability in the `_extractLLM()` function of the evolver application allows remote attackers to execute arbitrary shell commands by injecting shell metacharacters into the `corpus` parameter, leading to potential system compromise.