- Description
- lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.
- Source
- security@huntr.dev
- NVD status
- Awaiting Analysis
CVSS 3.0
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Severity
- CRITICAL
- security@huntr.dev
- CWE-79
- Hype score
- Not currently trending
CVE-2025-4779 lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/… https://t.co/uzOIm8rhWd
@CVEnew
7 Jul 2025
527 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-4779: CRITICAL] Ensure cyber safety! Beware of Lunary versions before 1.9.24 susceptible to XSS attacks. Attackers can inject harmful scripts through an endpoint, risking data theft or hijacking.#cve,CVE-2025-4779,#cybersecurity https://t.co/GPaKD0U2XA https://t.co/cLcw
@CveFindCom
7 Jul 2025
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes