2 matches found
CVE-2025-5352
A critical stored Cross-Site Scripting XSS vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXTPUBLICCUSTOMSCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This...
CVE-2024-7476
The CVE-2024-7476 issue is a broken access control in lunary-ai/lunary versions 1.2.7 through 1.4.2. The root cause is improper access control on the /v1/templates/{id}/versions endpoint, which allows an authenticated attacker to modify any user’s templates by sending a crafted HTTP POST request....