Code Execution Vulnerability in Lumiverse AI Chat Application
CVE-2026-44444

9.1CRITICAL

Key Information:

Vendor: Prolix-oc
Status: Lumiverse
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44444?

A code execution vulnerability exists in the Lumiverse AI chat application due to the Spindle extension build pipeline invoking 'bun install' without the '--ignore-scripts' flag. This flaw allows a malicious extension that includes a package.json with lifecycle scripts (preinstall, postinstall, or prepare) to execute host-level code as soon as an administrator initiates the installation process, prior to any distribution files being checked. This serious security risk has been addressed in version 0.9.7 of Lumiverse.

Affected Version(s)

Lumiverse < 0.9.7

References

https://github.com/prolix-oc/Lumiverse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44444 Data

JSON

Prolix-oc

What is CVE-2026-44444?

Affected Version(s)

References

CVSS V3.1

Timeline