What is the CVSS score of EUVD-2026-31980?

EUVD-2026-31980 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Lumiverse are affected by EUVD-2026-31980?

Lumiverse AI chat application versions prior to 0.9.7 contain a critical argument injection vulnerability allowing authenticated high-privilege users to execute arbitrary operating system commands on…. A patch is available.

Lumiverse EUVD-2026-31980

| CVE-2026-44449 CRITICAL

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

2026-05-26 GitHub_M

Information Disclosure

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 26, 2026 - 22:02 EUVD

Analysis Generated

May 26, 2026 - 21:00 vuln.today

DescriptionNVD

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.

AnalysisAI

Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers to execute arbitrary OS commands on the host. When the primary toSmbPath(fullPath) routine throws, a fallback path concatenates the unvalidated basename into an smbclient -c script, where ';' acts as a subcommand separator and '!cmd' triggers a local shell escape. …

RemediationAI

Within 24 hours: inventory all Lumiverse AI chat application deployments and confirm their versions. Within 7 days: implement access controls limiting high-privilege administrative functions to essential personnel only, and enable comprehensive logging of application activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31980 vulnerability details – vuln.today

Back

Lumiverse EUVD-2026-31980

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code