{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "e977d06f18a615963ffbe07e5bdff70218c29907"
            }
          ],
          "repo": "https://github.com/lunary-ai/lunary",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23.",
  "id": "CVE-2025-4962",
  "modified": "2025-11-19T17:35:48.251250289Z",
  "published": "2025-08-18T14:15:30.050Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/137a0aef-e243-49d4-832f-8e56056cba1a"
    },
    {
      "type": "FIX",
      "url": "https://github.com/lunary-ai/lunary/commit/e977d06f18a615963ffbe07e5bdff70218c29907"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}