PT-2026-43400 · Lumiverse · Lumiverse
Cu64
·
Published
2026-05-26
·
Updated
2026-05-27
·
CVE-2026-44444
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lumiverse versions prior to 0.9.7
Description
The Spindle extension build pipeline executes
bun install without the --ignore-scripts flag before performing the static backend safety scan via the assertSafeBackendBundle() function. This allows a malicious extension containing a package.json file with preinstall, postinstall, or prepare lifecycle scripts to achieve host-level code execution when an administrator initiates the installation process, occurring before any distribution files are inspected.Recommendations
Update to version 0.9.7.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lumiverse