lunary · threatengine.sh

CVE-2024-5386

< 1.2.14

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'vi

8.8HIGH

CVE-2024-4147

< 1.2.25

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts cre

6.5MEDIUM

CVE-2025-9803

all versions

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integratio

8.8HIGH

CVE-2025-5352

< 1.9.25

A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.

9.6CRITICAL

CVE-2025-4779

< 1.9.24

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inj

6.1MEDIUM

CVE-2025-0281

< 1.7.10

A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject ma

5.4MEDIUM

CVE-2024-9099

all versions

In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to u

8.1HIGH

CVE-2024-9098

< 1.4.30

In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with bi

6.1MEDIUM

CVE-2024-9096

all versions

In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH r

7.1HIGH

CVE-2024-9095

all versions

In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a

9.8CRITICAL

CVE-2024-9000

all versions

In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without vali

6.5MEDIUM

CVE-2024-8999

< 1.4.26

lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery end

7.5HIGH

CVE-2024-8998

< 1.4.26

A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the r

7.5HIGH

CVE-2024-8789

< 1.4.23

Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allow

7.5HIGH

CVE-2024-8765

< 1.4.23

In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain end

7.3HIGH

CVE-2024-8764

< 1.4.23

A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitrary regular expressions on the

7.5HIGH

CVE-2024-8763

< 1.4.23

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compil

7.5HIGH

CVE-2024-7476

>= 1.2.7 and < 1.4.3

A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authent

4.3MEDIUM

CVE-2024-11301

< 1.6.3

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint

6.5MEDIUM

CVE-2024-11300

< 1.6.3

In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of a

6.5MEDIUM

CVE-2024-11137

< 1.6.1

An Insecure Direct Object Reference (IDOR) vulnerability exists in the PATCH /v1/runs/:id/score endpoint of lunary-ai/lunary ver

7.5HIGH

CVE-2024-10762

< 1.5.9

In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a

8.1HIGH

CVE-2024-10330

< 1.5.7

In lunary-ai/lunary version 1.5.6, the /v1/evaluators/ endpoint lacks proper access control, allowing any user associated with a

6.5MEDIUM

CVE-2024-10275

< 1.5.7

In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing re

7.3HIGH

CVE-2024-10274

< 1.5.7

An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access

6.5MEDIUM

CVE-2024-10273

< 1.5.7

In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models ow

6.5MEDIUM

CVE-2024-10272

< 1.4.9

lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset wit

7.5HIGH

CVE-2024-3760

< 1.2.8

In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulne

7.5HIGH

CVE-2024-3502

< 1.2.6

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hash

8.1HIGH

CVE-2024-3501

< 1.2.6

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of sin

8.1HIGH

CVE-2024-3379

>= 1.2.2 and < 1.2.7

In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generat

8.1HIGH

CVE-2024-7456

all versions

A SQL injection vulnerability exists in the /api/v1/external-users route of lunary-ai/lunary version v1.4.2. The order by clau

9.8CRITICAL

CVE-2024-7475

< 1.3.4

An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration wit

9.1CRITICAL

CVE-2024-7474

< 1.3.4

In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete e

8.1HIGH

CVE-2024-7473

all versions

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. Thi

6.5MEDIUM

CVE-2024-7472

all versions

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification

6.5MEDIUM

CVE-2024-6867

all versions

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related endpoint. This

6.5MEDIUM

CVE-2024-6862

all versions

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings

8.1HIGH

CVE-2024-6582

< 1.4.9

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The saml.ts file allows a user from one

4.3MEDIUM

CVE-2024-6087

< 1.4.9

An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnera

6.5MEDIUM

CVE-2024-6086

all versions

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due

4.3MEDIUM

CVE-2024-5755

<= 1.2.11

In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email addres

5.3MEDIUM

CVE-2024-5714

all versions

In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to man

6.8MEDIUM

CVE-2024-5389

all versions

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, ge

8.1HIGH

CVE-2024-4146

all versions

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and

9.8CRITICAL

CVE-2024-5478

all versions

A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint /auth/saml/${org?.id}/metadata of lunary-ai/luna

6.1MEDIUM

CVE-2024-5328

all versions

A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/

9.3CRITICAL

CVE-2024-5248

>= 1.2.5 and < 1.4.9

In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /

6.5MEDIUM

CVE-2024-5133

< 1.2.14

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API

8.1HIGH

CVE-2024-5131

< 1.2.25

An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2.

6.5MEDIUM

CVE-2024-5130

< 1.2.8

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticat

7.5HIGH

CVE-2024-5129

< 1.2.8

A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missi

8.2HIGH

CVE-2024-5128

< 1.2.25

An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and includin

8.8HIGH

CVE-2024-5126

>= 1.2.2 and < 1.2.25

An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functio

6.5MEDIUM

CVE-2024-5277

< 1.4.9

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not

7.5HIGH

CVE-2024-5127

>= 1.2.2 and < 1.2.25

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invit

5.4MEDIUM

CVE-2024-3504

< 1.2.7

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update

6.5MEDIUM

CVE-2024-4148

all versions

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attack

7.5HIGH

CVE-2024-4154

< 1.2.26

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do

6.5MEDIUM

CVE-2024-4151

< 1.2.25

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in

8.1HIGH

CVE-2024-3761

< 1.2.8

In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at packages/backend/src/api/v1/datasets is vulnerable to unauthor

7.5HIGH

CVE-2024-1739

< 1.0.2

lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process.

9.1CRITICAL

CVE-2024-1738

< 1.2.4

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route

7.5HIGH

CVE-2024-1666

< 1.2.7

In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems f

5.3MEDIUM

CVE-2024-1626

< 1.0.0

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the proj

8.1HIGH

CVE-2024-1902

< 1.2.8

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper a

7.5HIGH

CVE-2024-1741

< 1.2.8

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and dele

9.1CRITICAL

CVE-2024-1740

< 1.2.7

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify

9.1CRITICAL

CVE-2024-1625

all versions

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauth

6.5MEDIUM