CVE-2026-44449 CRITICAL

CVE-2026-44449: Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape

Vendor Prolix-Oc
Product Lumiverse
Weakness CWE-88
Published May 26, 2026
Last update May 27, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated

Related vulnerabilities

04Related CVE