CVE-2026-44449
CriticalSummary
In the Lumiverse application prior to version 0.9.7, there is a vulnerability that allows arbitrary command execution on the Lumiverse server. The issue arises from a lack of validation in the toSmbPath method, enabling the injection of malicious commands through improperly formatted filenames.
Risk Assessment
Exploitation of this vulnerability could lead to full control over the Lumiverse server, posing a serious threat to the security of the organization's data and systems.
Recommendation
It is recommended to update the Lumiverse application to version 0.9.7 or later to eliminate this vulnerability and to conduct a security audit of the system.
Original NVD description (English source)
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.

