Lumiverse
Products
171- CLI6 CVEsnpm
- 5 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- Anchorme1 CVEnpm
- Angular1 CVEnpm
- Bleach1 CVEnpm
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- Deeps1 CVEnpm
- Djvalidator1 CVEnpm
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 171 products →
Recent CVEs
83| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44450 | Cri | 0.64 | 9.9 | 0.00 | May 26, 2026 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an… | ||
| CVE-2024-39015 | Cri | 0.64 | 9.8 | 0.01 | Jul 1, 2024 | cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-39013 | Cri | 0.64 | 9.8 | 0.01 | Jul 1, 2024 | 2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-36575 | Cri | 0.64 | 9.8 | 0.01 | Jun 17, 2024 | A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor. | ||
| CVE-2020-28440 | Cri | 0.64 | 9.8 | 0.02 | Dec 11, 2020 | All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. | ||
| CVE-2020-28439 | Cri | 0.64 | 9.8 | 0.02 | Dec 11, 2020 | This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC: | ||
| CVE-2020-7726 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2020 | All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function. | ||
| CVE-2020-7725 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2020 | All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function. | ||
| CVE-2020-7723 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2020 | All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function. | ||
| CVE-2020-7721 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2020 | All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function. | ||
| CVE-2020-7718 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2020 | All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions. | ||
| CVE-2020-7716 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2020 | All versions of package deeps are vulnerable to Prototype Pollution via the set function. | ||
| CVE-2020-7604 | Cri | 0.64 | 9.8 | 0.03 | Mar 15, 2020 | pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to… | ||
| CVE-2020-7603 | Cri | 0.64 | 9.8 | 0.03 | Mar 15, 2020 | closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization. | ||
| CVE-2020-8128 | Cri | 0.64 | 9.8 | 0.03 | Feb 14, 2020 | An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code. | ||
| CVE-2019-10769 | Cri | 0.64 | 9.8 | 0.03 | Dec 6, 2019 | safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError. | ||
| CVE-2026-47430 | Cri | 0.62 | — | 0.01 | Jun 8, 2026 | ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser… | ||
| CVE-2020-28435 | Cri | 0.61 | 9.4 | 0.01 | Jul 25, 2022 | This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js. | ||
| CVE-2018-12519 | Hig | 0.61 | 8.8 | 0.08 | Jun 19, 2018 | An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials. | ||
| CVE-2026-44451 | Cri | 0.60 | 9.3 | 0.00 | May 26, 2026 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator… |
- risk 0.64cvss 9.9epss 0.00
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an…
- risk 0.64cvss 9.8epss 0.01
cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- risk 0.64cvss 9.8epss 0.01
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- risk 0.64cvss 9.8epss 0.01
A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.
- risk 0.64cvss 9.8epss 0.02
All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.
- risk 0.64cvss 9.8epss 0.02
This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC:
- risk 0.64cvss 9.8epss 0.02
All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
- risk 0.64cvss 9.8epss 0.02
All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.
- risk 0.64cvss 9.8epss 0.02
All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.
- risk 0.64cvss 9.8epss 0.02
All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.
- risk 0.64cvss 9.8epss 0.02
All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
- risk 0.64cvss 9.8epss 0.02
All versions of package deeps are vulnerable to Prototype Pollution via the set function.
- risk 0.64cvss 9.8epss 0.03
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…
- risk 0.64cvss 9.8epss 0.03
closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.
- risk 0.64cvss 9.8epss 0.03
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
- risk 0.64cvss 9.8epss 0.03
safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
- risk 0.62cvss —epss 0.01
## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser…
- risk 0.61cvss 9.4epss 0.01
This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.
- risk 0.61cvss 8.8epss 0.08
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
- risk 0.60cvss 9.3epss 0.00
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator…