CVE-2026-44444 CRITICAL

CVE-2026-44444: Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Vendor Prolix-Oc
Product Lumiverse
Weakness CWE-78
Published May 26, 2026
Last update May 27, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated