CVE-2026-44451 Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...