Critical

DATE	CVE	VULNERABILITY TITLE	RISK
2024-11-01	CVE-2024-7456	SQL Injection vulnerability in Lunary 1.4.2 A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. network low complexity lunary CWE-89 critical	9.8
2024-10-29	CVE-2024-7475	Unspecified vulnerability in Lunary An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. network low complexity lunary critical	9.1
2024-06-08	CVE-2024-4146	Incorrect Authorization vulnerability in Lunary 1.2.13 In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. network low complexity lunary CWE-863 critical	9.8
2024-06-06	CVE-2024-5328	Unspecified vulnerability in Lunary A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. network low complexity lunary critical	9.3
2024-04-10	CVE-2024-1741	Incorrect Authorization vulnerability in Lunary lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. network low complexity lunary CWE-863 critical	9.1
2024-04-10	CVE-2024-1740	Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. network low complexity lunary critical	9.1