PT-2026-43400 · Lumiverse · Lumiverse

Cu64

·

Published

2026-05-26

·

Updated

2026-05-27

·

CVE-2026-44444

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7
Description The Spindle extension build pipeline executes bun install without the --ignore-scripts flag before performing the static backend safety scan via the assertSafeBackendBundle() function. This allows a malicious extension containing a package.json file with preinstall, postinstall, or prepare lifecycle scripts to achieve host-level code execution when an administrator initiates the installation process, occurring before any distribution files are inspected.
Recommendations Update to version 0.9.7.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44444

Affected Products

Lumiverse