CVE 9.1 CRITICAL

Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan_CVE-2026-44444

May 26, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.

AI Analysis

Spindle extension install runs untrusted lifecycle scripts before security scan, allowing host-level code execution

Basic Information

ID CVE-2026-44444

Source GitHub_M

Published May 26, 2026 at 20:01

Affected Product

Vendor prolix-oc

Product Lumiverse

Version < 0.9.7

Affected Versions prolix-oc Lumiverse < 0.9.7

CWE Classification

CWE-78

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor prolix-oc

Product Lumiverse

Version < 0.9.7

References

github.com /prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9

{
    "lastseen": "",
    "description": "Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.",
    "published": "2026-05-26T20:01:03.872Z",
    "modified": "2026-05-26T20:01:03.872Z",
    "type": "cve",
    "title": "Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan",
    "source": "GitHub_M",
    "references": "https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9",
    "id": "CVE-2026-44444",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "prolix-oc Lumiverse < 0.9.7",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Lumiverse",
    "version": "< 0.9.7",
    "vendor": "prolix-oc",
    "ai_description": "Spindle extension install runs untrusted lifecycle scripts before security scan, allowing host-level code execution",
    "ai_severity": "Critical",
    "ai_vendor": "prolix-oc",
    "ai_product": "Lumiverse",
    "ai_version": "< 0.9.7",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply