CVE-2026-44449 Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...