Vulnerabilities > Lunary
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-11300 | Unspecified vulnerability in Lunary In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. | 6.5 |
| 2025-03-20 | CVE-2024-8998 | Unspecified vulnerability in Lunary A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. | 7.5 |
| 2025-03-20 | CVE-2024-8999 | Improper Access Control vulnerability in Lunary lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. | 7.5 |
| 2025-03-20 | CVE-2024-9000 | Improper Authorization vulnerability in Lunary 1.4.26 In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. | 6.5 |
| 2025-03-20 | CVE-2024-9095 | Improper Authorization vulnerability in Lunary 1.4.28 In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. | 9.8 |
| 2025-03-20 | CVE-2024-9096 | Improper Authorization vulnerability in Lunary 1.4.28 In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. | 7.1 |
| 2025-03-20 | CVE-2024-9098 | Improper Access Control vulnerability in Lunary In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. | 6.1 |
| 2025-03-20 | CVE-2024-9099 | Exposure of Sensitive Information Through Metadata vulnerability in Lunary 1.4.29 In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. | 8.1 |
| 2025-03-20 | CVE-2025-0281 | Cross-site Scripting vulnerability in Lunary A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. | 5.4 |
| 2024-11-14 | CVE-2024-3760 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. | 7.5 |