Lunary-Ai Lunary vulnerabilities
71 known vulnerabilities affecting lunary-ai/lunary-ai_lunary.
Total CVEs
71
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH33MEDIUM28
Vulnerabilities
Page 4 of 4
CVE-2024-7472P4MEDIUMCVSS 6.5≥ unspecified, < 1.4.102024-10-29
CVE-2024-7472 [MEDIUM] CWE-93 CVE-2024-7472: lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification AP
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exp
nvd
CVE-2024-9098P4MEDIUMCVSS 6.1≥ unspecified, < 1.4.302025-03-20
CVE-2024-9098 [MEDIUM] CWE-863 CVE-2024-9098: In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins
In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from inviting users with billing roles. As a result, admins can circu
nvd
CVE-2024-5755P4MEDIUMCVSS 5.3≥ unspecified, ≤ latest2024-06-27
CVE-2024-5755 [MEDIUM] CWE-821 CVE-2024-5755: In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot chara
In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., '[email protected]' and '[email protected]'), leading to incorrect synchronization and potential security issues.
nvd
CVE-2024-1666P4MEDIUMCVSS 5.3≥ unspecified, < 1.2.72024-04-16
CVE-2024-1666 [MEDIUM] CWE-770 CVE-2024-1666: In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creat
In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement
nvd
CVE-2025-4779P4MEDIUMCVSS 6.1≥ unspecified, < 1.9.242025-07-07
CVE-2025-4779 [MEDIUM] CWE-79 CVE-2025-4779: lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An un
lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows t
nvd
CVE-2024-5127P4MEDIUMCVSS 5.4≥ unspecified, < 1.2.252024-06-06
CVE-2024-5127 [MEDIUM] CWE-862 CVE-2024-5127: In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows u
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a
nvd
CVE-2024-5478P4MEDIUMCVSS 6.1≥ unspecified, ≤ latest2024-06-06
CVE-2024-5478 [MEDIUM] CWE-79 CVE-2024-5478: A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.i
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before incorporating it into the generated response. Specifically, the endpoint gen
nvd
CVE-2025-0281P4MEDIUMCVSS 5.4≥ unspecified, < 1.7.102025-03-20
CVE-2025-0281 [MEDIUM] CWE-79 CVE-2025-0281: A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earl
A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of `window.location.href` without proper validation or sanitization. This vulnerabil
nvd
CVE-2024-7476P4MEDIUMCVSS 4.3≥ unspecified, < 1.4.32025-03-20
CVE-2024-7476 [MEDIUM] CWE-639 CVE-2024-7476: A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The v
A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is resolved in version 1.4.3.
nvd
CVE-2024-6582P4MEDIUMCVSS 4.3≥ unspecified, < 1.4.92024-09-13
CVE-2024-6582 [MEDIUM] CWE-306 CVE-2024-6582: A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts
A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the
nvd
CVE-2024-6086P4MEDIUMCVSS 4.3≥ unspecified, < 1.4.102024-06-27
CVE-2024-6086 [MEDIUM] CWE-863 CVE-2024-6086: In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change t
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
nvd
← Previous4 / 4