Vulnerabilities > Lunary > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-8998 | Unspecified vulnerability in Lunary A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. | 7.5 |
| 2025-03-20 | CVE-2024-8999 | Improper Access Control vulnerability in Lunary lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. | 7.5 |
| 2025-03-20 | CVE-2024-9096 | Improper Authorization vulnerability in Lunary 1.4.28 In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. | 7.1 |
| 2025-03-20 | CVE-2024-9099 | Exposure of Sensitive Information Through Metadata vulnerability in Lunary 1.4.29 In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. | 8.1 |
| 2024-11-14 | CVE-2024-3760 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. | 7.5 |
| 2024-11-14 | CVE-2024-3379 | Incorrect Authorization vulnerability in Lunary In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. | 8.1 |
| 2024-11-14 | CVE-2024-3501 | Insecure Storage of Sensitive Information vulnerability in Lunary In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. | 8.1 |
| 2024-11-14 | CVE-2024-3502 | Insecure Storage of Sensitive Information vulnerability in Lunary In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. | 8.1 |
| 2024-10-29 | CVE-2024-7474 | Unspecified vulnerability in Lunary In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. | 8.1 |
| 2024-09-13 | CVE-2024-6862 | Cross-Site Request Forgery (CSRF) vulnerability in Lunary 1.2.34 A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. | 8.1 |