CVE-2026-44444: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in prolix-oc Lumiverse
CVE-2026-44444 is a critical OS command injection vulnerability in prolix-oc Lumiverse versions prior to 0. 9. 7. The issue arises because the Spindle extension build pipeline runs 'bun install' without the --ignore-scripts flag, allowing malicious lifecycle scripts in a package. json to execute code on the host when an admin installs an extension. This leads to host-level code execution before any backend safety checks occur. The vulnerability is fixed in version 0. 9. 7.
AI Analysis
Technical Summary
Lumiverse, an AI chat application by prolix-oc, had a vulnerability (CVE-2026-44444) in versions before 0.9.7 where the Spindle extension build pipeline executed 'bun install' without disabling lifecycle scripts. Malicious extensions containing preinstall, postinstall, or prepare scripts in their package.json could execute arbitrary commands on the host system at install time, resulting in OS command injection (CWE-78). This allows an attacker with admin privileges to achieve full host-level code execution before static backend safety scans are performed. The issue is resolved in Lumiverse 0.9.7.
Potential Impact
Successful exploitation allows an attacker with admin privileges to execute arbitrary commands on the host system, leading to complete compromise of confidentiality, integrity, and availability of the affected system. This is a critical severity vulnerability with a CVSS score of 9.1, indicating high impact on system security.
Mitigation Recommendations
Upgrade Lumiverse to version 0.9.7 or later, where this vulnerability is fixed by properly disabling lifecycle scripts during the extension build pipeline. Until upgraded, avoid installing untrusted extensions and restrict admin privileges to trusted users only. Patch status is confirmed fixed in version 0.9.7.
CVE-2026-44444: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in prolix-oc Lumiverse
Description
CVE-2026-44444 is a critical OS command injection vulnerability in prolix-oc Lumiverse versions prior to 0. 9. 7. The issue arises because the Spindle extension build pipeline runs 'bun install' without the --ignore-scripts flag, allowing malicious lifecycle scripts in a package. json to execute code on the host when an admin installs an extension. This leads to host-level code execution before any backend safety checks occur. The vulnerability is fixed in version 0. 9. 7.
CVSS v3.1
Score 9.1critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Lumiverse, an AI chat application by prolix-oc, had a vulnerability (CVE-2026-44444) in versions before 0.9.7 where the Spindle extension build pipeline executed 'bun install' without disabling lifecycle scripts. Malicious extensions containing preinstall, postinstall, or prepare scripts in their package.json could execute arbitrary commands on the host system at install time, resulting in OS command injection (CWE-78). This allows an attacker with admin privileges to achieve full host-level code execution before static backend safety scans are performed. The issue is resolved in Lumiverse 0.9.7.
Potential Impact
Successful exploitation allows an attacker with admin privileges to execute arbitrary commands on the host system, leading to complete compromise of confidentiality, integrity, and availability of the affected system. This is a critical severity vulnerability with a CVSS score of 9.1, indicating high impact on system security.
Mitigation Recommendations
Upgrade Lumiverse to version 0.9.7 or later, where this vulnerability is fixed by properly disabling lifecycle scripts during the extension build pipeline. Until upgraded, avoid installing untrusted extensions and restrict admin privileges to trusted users only. Patch status is confirmed fixed in version 0.9.7.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T15:49:25.192Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16041ae29bf47b505e9f31
Added to database: 5/26/2026, 8:35:38 PM
Last enriched: 5/26/2026, 8:48:58 PM
Last updated: 5/27/2026, 4:18:41 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.