VYPR

Lunary

by Lunary AI

npm: lunary

CVEs (71)

  • CVE-2024-1643CriApr 10, 2024
    risk 0.52cvss 9.1epss 0.01

    By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant…

  • CVE-2025-4962HigAug 18, 2025
    risk 0.43cvss 7.7epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId`…

  • CVE-2024-7456Nov 1, 2024
    risk 0.02cvss epss 0.01

    A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without…

  • CVE-2024-5386Feb 2, 2026
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when…

  • CVE-2024-4147Feb 2, 2026
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt…

  • CVE-2025-9803Nov 25, 2025
    risk 0.00cvss epss 0.00

    lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is…

  • CVE-2025-5352Aug 23, 2025
    risk 0.00cvss epss 0.00

    A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any…

  • CVE-2025-4779Jul 7, 2025
    risk 0.00cvss epss 0.00

    lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where…

  • CVE-2024-11300Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by…

  • CVE-2024-10272Mar 20, 2025
    risk 0.00cvss epss 0.01

    lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.

  • CVE-2024-8998Mar 20, 2025
    risk 0.00cvss epss 0.01

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted…

  • CVE-2025-0281Mar 20, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of…

  • CVE-2024-9099Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials,…

  • CVE-2024-8765Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including…

  • CVE-2024-10330Mar 20, 2025
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive…

  • CVE-2024-8789Mar 20, 2025
    risk 0.00cvss epss 0.01

    Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime…

  • CVE-2024-11301Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an…

  • CVE-2024-7476Mar 20, 2025
    risk 0.00cvss epss 0.01

    A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is…

  • CVE-2024-9096Mar 20, 2025
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify…

  • CVE-2024-9098Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict…

Page 1 of 4