Unrated severityNVD Advisory· Published Jul 7, 2025· Updated Jul 7, 2025

Stored Cross-site Scripting (XSS) in lunary-ai/lunary

CVE-2025-4779

Description

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the v1/runs/ingest endpoint by adding an empty citations field, triggering a code path where dangerouslySetInnerHTML is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Affected products

Lunary Ai/Lunaryllm-fuzzy
Range: <1.9.24
lunary-ai/lunary-ai/lunaryv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16mitre
huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4dmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000