CVE-2025-4962

Name of the Vulnerable Software and Affected Versions: Lunary versions up to 0.8.8

Description: An Insecure Direct Object Reference (IDOR) vulnerability exists in the POST /v1/templates endpoint of the Lunary API. The vulnerability allows authenticated users to create templates in another user's project by manipulating the projectId parameter. The issue stems from a lack of server-side validation to confirm the authenticated user's ownership of the specified projectId.

Recommendations: Lunary versions prior to 1.9.23: Update to version 1.9.23 or later to resolve the issue.