CVE Catalog

CVE-2026-44444

Critical
Published: Translated: NVD NIST

Summary

Lumiverse is an AI chat application that prior to version 0.9.7 had a vulnerability in the Spindle extension. The execution of 'bun install' without the --ignore-scripts flag allows malicious extensions to execute code at the host level when an admin installs it.

Risk Assessment

Organizations may be exposed to malware that can run on the server, potentially leading to data loss or system takeover.

Recommendation

It is recommended to update Lumiverse to version 0.9.7 or later to mitigate this vulnerability.

Original NVD description (English source)

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS