Vulnerabilities > Lunary > Lunary > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-11300 | Unspecified vulnerability in Lunary In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. | 6.5 |
| 2025-03-20 | CVE-2024-9000 | Improper Authorization vulnerability in Lunary 1.4.26 In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. | 6.5 |
| 2025-03-20 | CVE-2024-9098 | Improper Access Control vulnerability in Lunary In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. | 6.1 |
| 2025-03-20 | CVE-2025-0281 | Cross-site Scripting vulnerability in Lunary A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. | 5.4 |
| 2024-10-29 | CVE-2024-7472 | Injection vulnerability in Lunary 1.2.26 lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). | 6.5 |
| 2024-10-29 | CVE-2024-7473 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary 1.3.2 An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. | 6.5 |
| 2024-09-13 | CVE-2024-6087 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. | 6.5 |
| 2024-09-13 | CVE-2024-6582 | Missing Authentication for Critical Function vulnerability in Lunary A broken access control vulnerability exists in the latest version of lunary-ai/lunary. | 4.3 |
| 2024-09-13 | CVE-2024-6867 | Insufficient Granularity of Access Control vulnerability in Lunary 1.4.9 An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. | 6.5 |
| 2024-06-27 | CVE-2024-5714 | Unspecified vulnerability in Lunary 1.2.4 In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. | 6.8 |