Lucene search
K

41 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.9 views

CVE-2026-44449

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...

9.1CVSS5.8AI score0.00451EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/01 10:3 p.m.14 views

CVE-2026-44450

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code executi...

9.9CVSS6.3AI score0.00377EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.13 views

CVE-2026-44443

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...

4.8CVSS5.8AI score0.00118EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.14 views

CVE-2026-44451

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

9.3CVSS5.7AI score0.0023EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.11 views

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS6.2AI score0.0037EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.16 views

PT-2026-43621

Impact An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet. Note: this issue primarily affects synchronous...

7.5CVSS5.8AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.22 views

PT-2026-43619

Name of the Vulnerable Software and Affected Versions protobufjs affected versions not specified Description An issue exists where the software could recurse without a depth limit during the conversion of decoded messages to plain objects or JSON. This specifically affects the generated toObject...

7.5CVSS5.9AI score0.00324EPSS
Exploits0References7
NVD
NVD
added 2026/05/26 9:16 p.m.20 views

CVE-2026-44450

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code executi...

9.9CVSS0.00377EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 9:16 p.m.14 views

CVE-2026-44449

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...

9.1CVSS0.00451EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 9:16 p.m.20 views

CVE-2026-44451

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

9.3CVSS0.0023EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 9:16 p.m.17 views

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS0.0037EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 9:16 p.m.18 views

CVE-2026-44443

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...

4.8CVSS0.00118EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 8:2 p.m.8 views

CVE-2026-44443

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...

4.8CVSS5.8AI score0.00118EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/26 8:2 p.m.9 views

CVE-2026-44443 Lumiverse: Sign-up nonce race condition allows unauthorized account registration

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...

4.8CVSS5.8AI score0.00118EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:2 p.m.37 views

CVE-2026-44443 Lumiverse: Sign-up nonce race condition allows unauthorized account registration

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...

4.8CVSS0.00118EPSS
Exploits0References1
CVE
CVE
added 2026/05/26 8:2 p.m.24 views

CVE-2026-44443

Lumiverse prior to version 0.9.7 is affected by a nonce race condition in consumeNonce(): the function only checks module-level state, not the incoming request value or binding the nonce to the admin session. If admin sign-up via POST /api/auth/sign-up/email triggers a failure before the before h...

4.8CVSS5.8AI score0.00118EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/26 8:1 p.m.9 views

CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS6.2AI score0.0037EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 8:1 p.m.9 views

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS6.2AI score0.0037EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/26 8:1 p.m.27 views

CVE-2026-44444

Lumiverse before 0.9.7: the Spindle extension build pipeline runs bun install without --ignore-scripts prior to the static backend safety scan (assertSafeBackendBundle). A malicious extension containing a package.json with preinstall, postinstall, or prepare lifecycle scripts can achieve host‑lev...

9.1CVSS6.2AI score0.0037EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:1 p.m.37 views

CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS0.0037EPSS
Exploits0References1
Rows per page
Query Builder