Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.
AnalysisAI
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers to execute arbitrary OS commands on the host. When the primary toSmbPath(fullPath) routine throws, a fallback path concatenates the unvalidated basename into an smbclient -c script, where ';' acts as a subcommand separator and '!cmd' triggers a local shell escape. No public exploit identified at time of analysis, and the issue is not currently in CISA KEV.
Technical ContextAI
Lumiverse (CPE cpe:2.3:a:prolix-oc:lumiverse) is a full-featured AI chat application that integrates with SMB shares via the smbclient utility. The root cause aligns with CWE-88 (Argument Injection): the code passes user-influenced path components directly into the -c script argument to smbclient. smbclient's interactive command grammar treats ';' as a command separator and '!<cmd>' as a 'local shell' escape that spawns /bin/sh on the host, so any unsanitised characters reaching that string become host-level commands. The vulnerable path is specifically the fallback after toSmbPath() fails: only the directory prefix is validated, while the basename is trusted and concatenated verbatim.
RemediationAI
Vendor-released patch: upgrade Lumiverse to 0.9.7 or later, where the basename is properly validated before being placed into the smbclient -c script (see https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53). Until the upgrade is applied, restrict who holds the privileged role required to submit SMB paths and, where possible, disable or gate the SMB integration feature entirely - accepting loss of SMB browsing functionality in exchange for blocking the injection sink. As a network-side compensating control, isolate the Lumiverse host so its outbound shell cannot reach internal resources, and consider running the process under a low-privilege service account to reduce blast radius of any successful '!cmd' escape.
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary Jav
Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attacker
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthori
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31980