VYPR
Vendor

Monica

Products
2
CVEs
22
Across products
22
Status
Private

Products

2

Recent CVEs

22
View all 22 CVEs →
  • CVE-2024-54996HigJan 10, 2025
    risk 0.57cvss 8.8epss 0.01

    MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create.

  • CVE-2023-1094HigMay 8, 2023
    risk 0.57cvss 8.8epss 0.01

    MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter.

  • CVE-2023-1031HigMay 8, 2023
    risk 0.57cvss 8.8epss 0.01

    MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter.

  • CVE-2024-48142HigOct 24, 2024
    risk 0.49cvss 7.5epss 0.00

    A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica ChatGPT AI Assistant v2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.

  • CVE-2024-54999MedJan 13, 2025
    risk 0.42cvss 6.5epss 0.00

    MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module.

  • CVE-2024-54994MedJan 10, 2025
    risk 0.42cvss 6.5epss 0.00

    MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature.

  • CVE-2024-54951MedFeb 13, 2025
    risk 0.35cvss 5.4epss 0.00

    Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed contact and use that contact in the "HOW YOU MET" customization options to trigger the XSS.

  • CVE-2024-54998MedJan 10, 2025
    risk 0.35cvss 5.4epss 0.00

    MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create.

  • CVE-2024-54997MedJan 10, 2025
    risk 0.35cvss 5.4epss 0.00

    MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit.

  • CVE-2023-50465MedDec 11, 2023
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

  • CVE-2023-30790MedMay 8, 2023
    risk 0.35cvss 5.4epss 0.01

    MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/relationships` endpoint and first_name and last_name parameter.

  • CVE-2023-30789MedMay 8, 2023
    risk 0.35cvss 5.4epss 0.01

    MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/work` endpoint and job and company parameter.

  • CVE-2023-30788MedMay 8, 2023
    risk 0.35cvss 5.4epss 0.01

    MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter.

  • CVE-2023-30787MedMay 8, 2023
    risk 0.35cvss 5.4epss 0.01

    MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/introductions` endpoint and first_met_additional_info parameter.

  • CVE-2024-45989MedSep 26, 2024
    risk 0.26cvss 4.0epss 0.00

    Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. A prompt injection allows an attacker to modify chatbot answer with an unloaded image that exfiltrates the user's sensitive chat data of the current…

  • CVE-2021-27370MedFeb 22, 2021
    risk 0.03cvss 5.4epss 0.03

    The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.

  • CVE-2026-26747Feb 20, 2026
    risk 0.00cvss epss 0.00

    A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application…

  • CVE-2020-35660MedApr 14, 2021
    risk 0.00cvss 5.4epss 0.01

    Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.

  • CVE-2021-27559MedFeb 22, 2021
    risk 0.00cvss 5.4epss 0.01

    The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.

  • CVE-2021-27371MedFeb 22, 2021
    risk 0.00cvss 5.4epss 0.01

    The Contact page in Monica 2.19.1 allows stored XSS via the Description field.

VYPR — Vulnerability Intelligence