VYPR

Vendor CVEs

Lunary AI

All CVEs

71 total · sorted by risk
  • CVE-2024-1643CriApr 10, 2024
    risk 0.52cvss 9.1epss 0.01

    By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant…

  • CVE-2025-4962HigAug 18, 2025
    risk 0.43cvss 7.7epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId`…

  • CVE-2024-7456Nov 1, 2024
    risk 0.02cvss epss 0.01

    A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without…

  • CVE-2024-5386Feb 2, 2026
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when…

  • CVE-2024-4147Feb 2, 2026
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt…

  • CVE-2025-9803Nov 25, 2025
    risk 0.00cvss epss 0.00

    lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is…

  • CVE-2025-5352Aug 23, 2025
    risk 0.00cvss epss 0.00

    A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any…

  • CVE-2025-4779Jul 7, 2025
    risk 0.00cvss epss 0.00

    lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where…

  • CVE-2024-11300Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by…

  • CVE-2024-10272Mar 20, 2025
    risk 0.00cvss epss 0.01

    lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.

  • CVE-2024-8998Mar 20, 2025
    risk 0.00cvss epss 0.01

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted…

  • CVE-2025-0281Mar 20, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of…

  • CVE-2024-9099Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials,…

  • CVE-2024-8765Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including…

  • CVE-2024-10330Mar 20, 2025
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive…

  • CVE-2024-8789Mar 20, 2025
    risk 0.00cvss epss 0.01

    Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime…

  • CVE-2024-11301Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an…

  • CVE-2024-7476Mar 20, 2025
    risk 0.00cvss epss 0.01

    A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is…

  • CVE-2024-9096Mar 20, 2025
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify…

  • CVE-2024-9098Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict…

  • CVE-2024-8764Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitrary regular expressions on the server side. This can lead to a Denial of Service (DoS) condition, as certain regular expressions can cause excessive resource consumption, blocking…

  • CVE-2024-10762Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete…

  • CVE-2024-9000Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended…

  • CVE-2024-10275Mar 20, 2025
    risk 0.00cvss epss 0.00

    In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an…

  • CVE-2024-10274Mar 20, 2025
    risk 0.00cvss epss 0.01

    An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This…

  • CVE-2024-11137Mar 20, 2025
    risk 0.00cvss epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which…

  • CVE-2024-8763Mar 20, 2025
    risk 0.00cvss epss 0.01

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression…

  • CVE-2024-8999Mar 20, 2025
    risk 0.00cvss epss 0.01

    lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or…

  • CVE-2024-10273Mar 20, 2025
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should…

  • CVE-2024-9095Mar 20, 2025
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is…

  • CVE-2024-3760Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset…

  • CVE-2024-3502Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me`…

  • CVE-2024-3501Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such…

  • CVE-2024-3379Nov 14, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private…

  • CVE-2024-7472Oct 29, 2024
    risk 0.00cvss epss 0.00

    lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a…

  • CVE-2024-7473Oct 29, 2024
    risk 0.00cvss epss 0.00

    An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in…

  • CVE-2024-7474Oct 29, 2024
    risk 0.00cvss epss 0.00

    In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing…

  • CVE-2024-7475Oct 29, 2024
    risk 0.00cvss epss 0.01

    An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user…

  • CVE-2024-6862Sep 13, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main…

  • CVE-2024-6867Sep 13, 2024
    risk 0.00cvss epss 0.00

    An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the…

  • CVE-2024-6087Sep 13, 2024
    risk 0.00cvss epss 0.00

    An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to…

  • CVE-2024-6582Sep 13, 2024
    risk 0.00cvss epss 0.00

    A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to…

  • CVE-2024-6086Jun 27, 2024
    risk 0.00cvss epss 0.00

    In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor'…

  • CVE-2024-5755Jun 27, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and…

  • CVE-2024-5714Jun 27, 2024
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other…

  • CVE-2024-5389Jun 9, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the…

  • CVE-2024-4146Jun 8, 2024
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess`…

  • CVE-2024-5328Jun 6, 2024
    risk 0.00cvss epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in…

  • CVE-2024-5248Jun 6, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing…

  • CVE-2024-5130Jun 6, 2024
    risk 0.00cvss epss 0.00

    An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically,…

Page 1 of 2