Arbitrary Command Execution in Lumiverse AI Chat Application
CVE-2026-44449

9.1CRITICAL

Key Information:

Vendor: Prolix-oc
Status: Lumiverse
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44449?

The Lumiverse AI chat application has a vulnerability that allows for arbitrary command execution due to insufficient validation of input. When a specific method fails, it improperly processes the file path, allowing an attacker to exploit the vulnerability by injecting commands into the smbclient -c script without proper checks. This flaw can be triggered by crafting a path where the directory component is valid, while the basename includes potentially malicious commands. The issue has been resolved in version 0.9.7.

Affected Version(s)

Lumiverse < 0.9.7

References

https://github.com/prolix-oc/Lumiverse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44449 Data

JSON

Prolix-oc

What is CVE-2026-44449?

Affected Version(s)

References

CVSS V3.1

Timeline