CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5352 – Environment Variable XSS in Analytics Component in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2025-5352
23 Aug 2025 — A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account ta... • https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa05c491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4962 – IDOR Vulnerability in Template Creation via `projectId` Manipulation in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2025-4962
18 Aug 2025 — An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23. • https://huntr.com/bounties/137a0aef-e243-49d4-832f-8e56056cba1a • CWE-284: Improper Access Control •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4779 – Stored Cross-site Scripting (XSS) in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2025-4779
07 Jul 2025 — lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. • https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3502 – Exposure of Sensitive Information in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-3502
14 Nov 2024 — In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could... • https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-922: Insecure Storage of Sensitive Information •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3501 – Exposure of Sensitive Information in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-3501
14 Nov 2024 — In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in... • https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-922: Insecure Storage of Sensitive Information •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 1CVE-2024-7456 – SQL Injection in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-7456
01 Nov 2024 — A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption. • https://github.com/77Philly/CVE-2024-7456scripts • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7473 – IDOR Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-7473
29 Oct 2024 — An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3. • https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa • CWE-269: Improper Privilege Management CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7474 – IDOR in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-7474
29 Oct 2024 — In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data. • https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 • CWE-284: Improper Access Control CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7475 – Improper Access Control in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-7475
29 Oct 2024 — An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users. • https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 • CWE-284: Improper Access Control •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6862 – Cross-Site Request Forgery (CSRF) in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-6862
13 Sep 2024 — A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks. • https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54 • CWE-352: Cross-Site Request Forgery (CSRF) •