Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-4779

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Published

2025-07-07T10:15:28.717

Last Modified

2025-07-08T16:18:34.923

Status

Awaiting Analysis

Source

[email protected]

Severity

CVSSv3.0: 9.1 (CRITICAL)

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

References

https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16 ([email protected])
https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d ([email protected])