📦 Lunary

A critical stored XSS vulnerability in lunary-ai/lunary Analytics component allows arbitrary JavaScript execution in all users' browsers when attackers control the NEXT_PUBLIC_CUSTOM_SCRIPT environmen...

This SQL injection vulnerability in lunary-ai/lunary v1.4.2 allows attackers to execute arbitrary SQL commands through the `/api/v1/external-users` endpoint. The vulnerability affects all systems runn...

This vulnerability allows unauthorized attackers to modify SAML configuration settings in lunary-ai/lunary version 1.3.2. This can lead to authentication bypass, fraudulent logins, and potential user ...

This CVE describes an authorization bypass vulnerability in lunary-ai/lunary version v1.2.13 that allows unauthorized users to access and manipulate projects they shouldn't have access to. Attackers c...

This SSRF vulnerability in lunary-ai/lunary allows attackers to make unauthorized server-side requests to internal or external resources by exploiting an unvalidated URL parameter in the SAML authenti...

This vulnerability allows attackers to create multiple accounts with the same email address by varying character case (e.g., User@example.com vs user@example.com). This affects all users of lunary-ai/...

This vulnerability allows users who have been removed from an organization to continue accessing and manipulating logs and project data using old authorization tokens. The lunary web application fails...

In lunary-ai/lunary version 1.2.2, a privilege escalation vulnerability allows users with 'viewer' role to hijack other user accounts by obtaining password reset tokens. This occurs when viewer-role u...

This vulnerability allows account takeover in lunary-ai/lunary due to improper Google OAuth authentication. Attackers can use access tokens from malicious applications to gain unauthorized access to u...

This vulnerability in lunary-ai/lunary exposes both public and private API keys through the GET /projects endpoint to users with minimal permissions like Viewers or Prompt Editors. Attackers can use t...

This vulnerability allows low-privilege users to modify checklists in lunary-ai/lunary version 1.4.28 by exploiting missing access controls on the /checklists/:id PATCH endpoint. Any user associated w...

This vulnerability in lunary-ai/lunary allows any user to export the entire database to Google BigQuery without proper authentication or authorization. It affects all deployments running version v1.4....

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to submit specially crafted inputs that cause the server to hang for extended periods by exploiting in...

This vulnerability allows unauthenticated attackers to bypass authentication in lunary-ai/lunary by including '/auth/' in API endpoint paths. Attackers can access sensitive data, modify information, a...

This vulnerability in lunary-ai/lunary allows authenticated users to upload and execute arbitrary regular expressions on the server, potentially causing excessive resource consumption and Denial of Se...

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to cause indefinite server hangs by sending specially crafted input with excessive braces. This affect...

An incorrect authorization vulnerability in lunary-ai/lunary allows users with 'Member' role to regenerate private keys for projects they shouldn't have access to. This affects versions 1.2.2 through ...

This vulnerability exposes account recovery hashes through API endpoints in lunary-ai/lunary, allowing authenticated users to access sensitive information that could facilitate account recovery attack...

This IDOR vulnerability in lunary-ai/lunary version 1.3.2 allows authenticated users to view or delete external user accounts by manipulating the 'id' parameter in API requests. The application fails ...

This CSRF vulnerability in lunary-ai/lunary version 1.2.34 allows attackers to perform unauthorized actions like creating projects by exploiting overly permissive CORS settings. It primarily affects l...

This vulnerability allows authenticated users to capture password recovery tokens from other users via the API, enabling account takeover by resetting passwords without consent. It affects all users o...

This IDOR vulnerability in lunary-ai/lunary allows unauthorized users to view, modify, or delete any dataset_prompt or dataset_prompt_variation across all datasets and projects. It affects all users r...

This CVE describes an incorrect authorization vulnerability in lunary-ai/lunary that allows unauthenticated users to delete any dataset without proper authentication. The vulnerability exists because ...

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allows attackers to send specially crafted requests that cause catastrophic backtracking in regular expr...

An improper access control vulnerability in lunary-ai/lunary version 1.2.2 allows users to view and update any prompts in any projects due to insufficient access control checks in PATCH and GET reques...

This vulnerability allows any user, including those without authentication, to delete datasets in lunary-ai/lunary by sending a DELETE request to the vulnerable endpoint. It affects all users of versi...

This vulnerability allows unauthorized users to access any organization's evaluation results by simply knowing the evaluation ID, due to missing project ID verification in the SQL query. It affects al...

This vulnerability allows removed users to modify organization names in lunary-ai/lunary by reusing old session tokens. Attackers can exploit this authorization flaw to make unauthorized changes to or...

This vulnerability allows authenticated users in lunary-ai/lunary to delete prompts belonging to other organizations through ID manipulation. The application fails to validate prompt ownership before ...

This stored XSS vulnerability in lunary-ai/lunary allows unauthenticated attackers to inject malicious JavaScript via the v1/runs/ingest endpoint. When exploited, arbitrary code executes in users' bro...

A stored cross-site scripting vulnerability in lunary-ai/lunary allows attackers to inject malicious JavaScript into SAML IdP XML metadata. This JavaScript executes when users attempt SAML login, pote...

This privilege escalation vulnerability allows administrators in lunary-ai/lunary to invite new users with billing permissions, bypassing intended access controls. This enables unauthorized access to ...

This vulnerability allows unauthorized users to create or modify checklists in lunary-ai/lunary, bypassing permission checks. Attackers can also spoof existing checklists by reusing slugs, potentially...

This broken access control vulnerability allows authenticated attackers to modify any user's templates in lunary-ai/lunary by sending crafted HTTP POST requests. Organizations using versions 1.2.7 thr...

This vulnerability allows attackers to overwrite existing evaluator data by submitting POST requests with duplicate slugs in the same project. It affects all users of lunary-ai/lunary versions before ...

In lunary-ai/lunary version 1.5.6, the /v1/evaluators/ endpoint lacks proper access control, allowing any authenticated user associated with a project to retrieve all evaluator data regardless of thei...

This vulnerability allows users with viewer roles in lunary-ai/lunary to modify models owned by other users due to missing privilege checks in the PATCH endpoint. It affects all deployments running ve...

An Insecure Direct Object Reference (IDOR) vulnerability in lunary-ai/lunary allows authenticated users to modify other users' prompts by manipulating the 'id' parameter in API requests. This affects ...

This vulnerability allows attackers to exploit the user invitation system in lunary-ai/lunary to obtain valid JWT tokens and perform account takeover. Attackers can invite target users, obtain one-tim...

In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows team members with management permissions to manipulate project identifiers in API requests. This enables them to invi...