CVE-2025-4779

6.1 MEDIUM
Published: July 07, 2025 Modified: December 03, 2025
View on NVD

Description

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16
Source: security@huntr.dev
Patch
https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d
Source: security@huntr.dev
Exploit Patch Third Party Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.1%
28th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

lunary

Related CVEs

CVE-2026-21652 N/A
CVE-2026-21651 N/A
CVE-2026-21650 N/A
CVE-2026-21649 N/A
CVE-2026-21648 N/A