A critical command injection vulnerability exists in Lumiverse, a full-featured AI chat application, affecting versions prior to 0.9.7. The flaw resides in SMB path handling logic where a fallback code path fails to sanitize the basename component of file paths. When the primary `toSmbPath(fullPath)` call throws an exception, the application splits the path into directory and basename components, validate [truncated]
A critical vulnerability in Lumiverse's Spindle extension build pipeline allows malicious extensions to execute arbitrary host-level code during installation. The issue stems from `bun install` being invoked without the `--ignore-scripts` flag prior to the `assertSafeBackendBundle` static safety scan. This enables a malicious extension containing lifecycle scripts (preinstall, postinstall, or prepare) in [truncated]
A race condition vulnerability exists in Lumiverse, an AI chat application, prior to version 0.9.7. The `consumeNonce()` function fails to validate values from incoming HTTP requests or bind nonces to specific admin sessions. When an admin's `auth.api.signUpEmail()` call fails before the before hook executes—such as when BetterAuth rejects a duplicate email at the validation layer—the nonce is set but nev [truncated]
