Vulnerabilities > Lunary > Critical

DATE CVE VULNERABILITY TITLE RISK
2024-11-01 CVE-2024-7456 SQL Injection vulnerability in Lunary 1.4.2
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2.
network
low complexity
lunary CWE-89
critical
 9.8
9.8
2024-10-29 CVE-2024-7475 Unspecified vulnerability in Lunary
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization.
network
low complexity
lunary
critical
 9.1
9.1
2024-06-08 CVE-2024-4146 Incorrect Authorization vulnerability in Lunary 1.2.13
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to.
network
low complexity
lunary CWE-863
critical
 9.8
9.8
2024-06-06 CVE-2024-5328 Unspecified vulnerability in Lunary
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'.
network
low complexity
lunary
critical
 9.3
9.3
2024-04-10 CVE-2024-1740 Unspecified vulnerability in Lunary
In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token.
network
low complexity
lunary
critical
 9.1
9.1
2024-04-10 CVE-2024-1741 Incorrect Authorization vulnerability in Lunary
lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token.
network
low complexity
lunary CWE-863
critical
 9.1
9.1