VYPR
Vendor

Lumiverse

Products
171
CVEs
86
Across products
44
Status
Private

Products

171
View all 171 products →

Recent CVEs

86
View all 86 CVEs →
  • CVE-2026-44450CriMay 26, 2026
    risk 0.64cvss 9.9epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an…

  • CVE-2024-39015CriJul 1, 2024
    risk 0.64cvss 9.8epss 0.01

    cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-39013CriJul 1, 2024
    risk 0.64cvss 9.8epss 0.01

    2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-36575CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.

  • CVE-2026-47430CriJun 8, 2026
    risk 0.62cvss epss 0.01

    ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser…

  • CVE-2018-12519HigJun 19, 2018
    risk 0.61cvss 8.8epss 0.08

    An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.

  • CVE-2026-44451CriMay 26, 2026
    risk 0.60cvss 9.3epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator…

  • CVE-2026-44449CriMay 26, 2026
    risk 0.59cvss 9.1epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script…

  • CVE-2026-44444CriMay 26, 2026
    risk 0.59cvss 9.1epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json…

  • CVE-2019-19723criSep 4, 2020
    risk 0.59cvss epss 0.00

    All versions of `passport-cognito` are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated…

  • CVE-2017-16034criSep 1, 2020
    risk 0.59cvss epss 0.00

    Affected versions of `pidusage` pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ## Proof of Concept…

  • CVE-2026-9961HigMay 28, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in SurfaceCapture in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-39016HigJul 1, 2024
    risk 0.53cvss 8.1epss 0.01

    che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2026-34713HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition.…

  • CVE-2026-34711HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue…

  • CVE-2026-9956HigMay 28, 2026
    risk 0.49cvss 7.5epss 0.00

    Use after free in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-9496HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and…

  • CVE-2024-36527MedJun 17, 2024
    risk 0.49cvss 6.5epss 0.03

    puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.

  • CVE-2024-22363HigApr 5, 2024
    risk 0.49cvss 7.5epss 0.01

    SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).

  • CVE-2018-11615HigAug 30, 2018
    risk 0.49cvss 7.5epss 0.03

    This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to…