CVE-2025-4779 – Lunary Ai Lunary Stored Cross-Site Scripting (XSS)

CVE ID : CVE-2025-4779

Published : July 7, 2025, 10:15 a.m. | 58 minutes ago

Description : lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user’s browser, potentially leading to session hijacking, data theft, or other malicious actions.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…