Search criteria
10 vulnerabilities found for Lumiverse by prolix-oc
CVE-2026-44451 (GCVE-0-2026-44451)
Vulnerability from nvd – Published: 2026-05-26 19:58 – Updated: 2026-05-26 19:58
VLAI
Title
Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7.
Severity
9.3 (Critical)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments (\u0027ownerDoc\u0027 + \u0027ument\u0027). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node[\u0027ownerDoc\u0027+\u0027ument\u0027][\u0027def\u0027+\u0027aultView\u0027] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:58:37.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4"
}
],
"source": {
"advisory": "GHSA-rgp6-55rw-5xf4",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44451",
"datePublished": "2026-05-26T19:58:37.036Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T19:58:37.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44450 (GCVE-0-2026-44450)
Vulnerability from nvd – Published: 2026-05-26 19:54 – Updated: 2026-05-26 19:54
VLAI
Title
Lumiverse: RCE via MCP stdio argument injection
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:<port> directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7.
Severity
9.9 (Critical)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:\u003cport\u003e directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:54:33.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-mfwv-ch2f-9j5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-mfwv-ch2f-9j5v"
}
],
"source": {
"advisory": "GHSA-mfwv-ch2f-9j5v",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: RCE via MCP stdio argument injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44450",
"datePublished": "2026-05-26T19:54:33.944Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T19:54:33.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44449 (GCVE-0-2026-44449)
Vulnerability from nvd – Published: 2026-05-26 20:00 – Updated: 2026-05-26 20:00
VLAI
Title
Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.
Severity
9.1 (Critical)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains \"; !\u003ccmd\u003e; echo \" achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:00:12.090Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53"
}
],
"source": {
"advisory": "GHSA-4v38-9hqq-7j53",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44449",
"datePublished": "2026-05-26T20:00:12.090Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T20:00:12.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44444 (GCVE-0-2026-44444)
Vulnerability from nvd – Published: 2026-05-26 20:01 – Updated: 2026-05-26 20:01
VLAI
Title
Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.
Severity
9.1 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:01:03.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9"
}
],
"source": {
"advisory": "GHSA-8x98-3wjp-pmj9",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44444",
"datePublished": "2026-05-26T20:01:03.872Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T20:01:03.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44443 (GCVE-0-2026-44443)
Vulnerability from nvd – Published: 2026-05-26 20:02 – Updated: 2026-05-26 20:02
VLAI
Title
Lumiverse: Sign-up nonce race condition allows unauthorized account registration
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
Severity
4.8 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin\u0027s session. If the admin\u0027s auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:02:39.562Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7"
}
],
"source": {
"advisory": "GHSA-6fcp-x253-wwv7",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: Sign-up nonce race condition allows unauthorized account registration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44443",
"datePublished": "2026-05-26T20:02:39.562Z",
"dateReserved": "2026-05-06T15:49:25.191Z",
"dateUpdated": "2026-05-26T20:02:39.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44443 (GCVE-0-2026-44443)
Vulnerability from cvelistv5 – Published: 2026-05-26 20:02 – Updated: 2026-05-26 20:02
VLAI
Title
Lumiverse: Sign-up nonce race condition allows unauthorized account registration
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
Severity
4.8 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin\u0027s session. If the admin\u0027s auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:02:39.562Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7"
}
],
"source": {
"advisory": "GHSA-6fcp-x253-wwv7",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: Sign-up nonce race condition allows unauthorized account registration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44443",
"datePublished": "2026-05-26T20:02:39.562Z",
"dateReserved": "2026-05-06T15:49:25.191Z",
"dateUpdated": "2026-05-26T20:02:39.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44444 (GCVE-0-2026-44444)
Vulnerability from cvelistv5 – Published: 2026-05-26 20:01 – Updated: 2026-05-26 20:01
VLAI
Title
Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.
Severity
9.1 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:01:03.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9"
}
],
"source": {
"advisory": "GHSA-8x98-3wjp-pmj9",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44444",
"datePublished": "2026-05-26T20:01:03.872Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T20:01:03.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44449 (GCVE-0-2026-44449)
Vulnerability from cvelistv5 – Published: 2026-05-26 20:00 – Updated: 2026-05-26 20:00
VLAI
Title
Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.
Severity
9.1 (Critical)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains \"; !\u003ccmd\u003e; echo \" achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:00:12.090Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53"
}
],
"source": {
"advisory": "GHSA-4v38-9hqq-7j53",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44449",
"datePublished": "2026-05-26T20:00:12.090Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T20:00:12.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44451 (GCVE-0-2026-44451)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:58 – Updated: 2026-05-26 19:58
VLAI
Title
Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7.
Severity
9.3 (Critical)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments (\u0027ownerDoc\u0027 + \u0027ument\u0027). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node[\u0027ownerDoc\u0027+\u0027ument\u0027][\u0027def\u0027+\u0027aultView\u0027] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:58:37.036Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4"
}
],
"source": {
"advisory": "GHSA-rgp6-55rw-5xf4",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44451",
"datePublished": "2026-05-26T19:58:37.036Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T19:58:37.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44450 (GCVE-0-2026-44450)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:54 – Updated: 2026-05-26 19:54
VLAI
Title
Lumiverse: RCE via MCP stdio argument injection
Summary
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:<port> directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7.
Severity
9.9 (Critical)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/prolix-oc/Lumiverse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "Lumiverse",
"vendor": "prolix-oc",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:\u003cport\u003e directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:54:33.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-mfwv-ch2f-9j5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-mfwv-ch2f-9j5v"
}
],
"source": {
"advisory": "GHSA-mfwv-ch2f-9j5v",
"discovery": "UNKNOWN"
},
"title": "Lumiverse: RCE via MCP stdio argument injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44450",
"datePublished": "2026-05-26T19:54:33.944Z",
"dateReserved": "2026-05-06T15:49:25.192Z",
"dateUpdated": "2026-05-26T19:54:33.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}