VYPR
Vendor

Lumiverse

Products
171
CVEs
83
Across products
42
Status
Private

Products

171
View all 171 products →

Recent CVEs

83
View all 83 CVEs →
  • CVE-2026-44450CriMay 26, 2026
    risk 0.64cvss 9.9epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an…

  • CVE-2024-39015CriJul 1, 2024
    risk 0.64cvss 9.8epss 0.01

    cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-39013CriJul 1, 2024
    risk 0.64cvss 9.8epss 0.01

    2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-36575CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.

  • CVE-2020-28440CriDec 11, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.

  • CVE-2020-28439CriDec 11, 2020
    risk 0.64cvss 9.8epss 0.02

    This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC:

  • CVE-2020-7726CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.

  • CVE-2020-7725CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.

  • CVE-2020-7723CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.

  • CVE-2020-7721CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.

  • CVE-2020-7718CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.

  • CVE-2020-7716CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package deeps are vulnerable to Prototype Pollution via the set function.

  • CVE-2020-7604CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…

  • CVE-2020-7603CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.

  • CVE-2020-8128CriFeb 14, 2020
    risk 0.64cvss 9.8epss 0.03

    An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.

  • CVE-2019-10769CriDec 6, 2019
    risk 0.64cvss 9.8epss 0.03

    safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.

  • CVE-2026-47430CriJun 8, 2026
    risk 0.62cvss epss 0.01

    ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser…

  • CVE-2020-28435CriJul 25, 2022
    risk 0.61cvss 9.4epss 0.01

    This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.

  • CVE-2018-12519HigJun 19, 2018
    risk 0.61cvss 8.8epss 0.08

    An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.

  • CVE-2026-44451CriMay 26, 2026
    risk 0.60cvss 9.3epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator…