CVE-2026-44451
Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox escape in Lumiverse ≤0.9.5 lets an attacker execute arbitrary code via malicious theme packs, bypassing TSX component override controls.
Vulnerability
The component override system in Lumiverse prior to version 0.9.5 transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined [1]. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers using word-boundary regex patterns [1]. However, both controls can be bypassed. The static validator is bypassed by reconstructing a blocked identifier at runtime from string fragments (e.g., 'ownerDoc' + 'ument') [1]. The DOM ref escape uses useRef and useEffect, which are provided in scope; a ref attached to a rendered element yields a live DOM node, from which node['ownerDoc'+'ument']['def'+'aultView'] returns the real window object [1]. Theme packs (.lumitheme / .lumiverse-theme) serve as the delivery mechanism [1].
Exploitation
An attacker creates a malicious theme pack containing a crafted component override. The exploit does not require authentication beyond the victim being logged into Lumiverse [1]. The attacker delivers the pack to a victim, who imports the file and enables the override in the Theme Editor [1]. The victim's action—enabling the override—triggers the payload, which executes in the context of the victim's authenticated session [1]. The attacker can remotely induce the victim to import and enable the malicious theme pack (e.g., via social engineering or by hosting the pack on a site the victim visits) [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's Lumiverse session, bypassing the intended sandbox [1]. This can lead to full compromise of the victim's account, including the ability to access chat history, send messages on behalf of the victim, and exfiltrate sensitive data [1]. The attacker effectively achieves arbitrary code execution (ACE) within the application context [1].
Mitigation
The vulnerability is fixed in Lumiverse version 0.9.7 [1]. Users should upgrade to version 0.9.7 or later [1]. There are no known workarounds for affected versions [1]. As of the publication date (2026-05-26), this CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.