CVE Catalog

CVE-2026-44449

Critical
Published: Translated: NVD NIST

Summary

In the Lumiverse application prior to version 0.9.7, there is a vulnerability that allows arbitrary command execution on the Lumiverse server. The issue arises from a lack of validation in the toSmbPath method, enabling the injection of malicious commands through improperly formatted filenames.

Risk Assessment

Exploitation of this vulnerability could lead to full control over the Lumiverse server, posing a serious threat to the security of the organization's data and systems.

Recommendation

It is recommended to update the Lumiverse application to version 0.9.7 or later to eliminate this vulnerability and to conduct a security audit of the system.

Original NVD description (English source)

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS