CVE-2026-44444
Received Received - Intake
Code Execution via Preinstall Script in Lumiverse AI Chat

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-44444
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
lumiverse lumiverse to 0.9.7 (exc)
lumiverse spindle to 0.9.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Lumiverse, an AI chat application, specifically in versions prior to 0.9.7. The issue arises in the Spindle extension build pipeline, where the process calls 'bun install' without the '--ignore-scripts' flag before running a backend safety scan. Because of this, a malicious extension containing lifecycle scripts like preinstall, postinstall, or prepare in its package.json can execute code on the host system as soon as an admin clicks Install, even before any files are inspected.


How can this vulnerability impact me? :

This vulnerability can lead to host-level code execution, meaning an attacker can run arbitrary code on the system where Lumiverse is installed. This can compromise the confidentiality, integrity, and availability of the system and its data, potentially allowing attackers to steal sensitive information, alter data, or disrupt services.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Lumiverse to version 0.9.7 or later, where the issue has been fixed.

Avoid installing extensions before verifying their contents, especially any lifecycle scripts such as preinstall, postinstall, or prepare scripts in package.json files.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart