CVE-2025-5352 – “Lunary Analytics NEXT_PUBLIC_CUSTOM_SCRIPT Stored XSS Vulnerability”

August 23, 2025

CVE ID : CVE-2025-5352

Published : Aug. 23, 2025, 7:15 a.m. | 17 hours, 54 minutes ago

Description : A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users’ browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-9358 – Linksys RE Series Stack-Based Buffer Overflow

Next Article CVE-2025-5821 – “WordPress Case Theme User Plugin Authentication Bypass”

A Week In The Life Of An AI-Augmented Designer

This week in AI updates: Gemini Code Assist Agent Mode, GitHub’s Agents panel, and more (August 22, 2025)

Microsoft adds Copilot-powered debugging features for .NET in Visual Studio

Blackstone portfolio company R Systems Acquires Novigo Solutions, Strengthening its Product Engineering and Full-Stack Agentic-AI Capabilities

Google Pixel 10 Pro vs. iPhone 16 Pro: I’ve used both handsets, and there’s a clear winner

Master these 48 Windows keyboard shortcuts and finish work early

Why the Pixel 10 is making this longtime iPhone user reconsider their next phone

Google Pixel 10 Pro Fold vs. Samsung Galaxy Z Fold 7: I compared both Androids, and here’s the winner

PERFIXION 2025: Powering AI Ideas

PERFIXION 2025: Powering AI Ideas

MongoDB Data Types

Building Cross-Platform Alerts with Laravel’s Notification Framework

Gears of War returns, Helldivers 2 jumps ship, and Xbox players win big — Xbox’s Aug 25–31 lineup proves the console war is getting interesting again

Gears of War returns, Helldivers 2 jumps ship, and Xbox players win big — Xbox’s Aug 25–31 lineup proves the console war is getting interesting again

Reports say Windows 11 update is bricking drives — is yours on the list?

Razer finally remembered I don’t live in China, so now we can all get this cool Gengar gaming headset

CVE-2025-5352 – “Lunary Analytics NEXT_PUBLIC_CUSTOM_SCRIPT Stored XSS Vulnerability”

Malicious Go Module Poses as SSH Brute-Force Tool, Steals Credentials via Telegram Bot

CVE-2025-8208 – Spexo Addons for Elementor WordPress Stored Cross-Site Scripting

Digital Tools for Renewable Energy: What Wind, Solar, Hydro, and Other Energy Assets Need to Run Smarter

I finally found smart finder tags that last for two years (and they’re cheaper than AirTags)

CVE-2025-43963 – LibRaw Out-of-Bounds Access Vulnerability

Nephele is a pluggable WebDAV server

Higgs Audio

What Zuckerberg’s ‘personal superintelligence’ sales pitch leaves out

Sophos Unmasks Sakura RAT: Hackers Hacking Hackers with Backdoored Malware!

xfce4-dict – client program to query dictionaries

CVE-2025-5352 – “Lunary Analytics NEXT_PUBLIC_CUSTOM_SCRIPT Stored XSS Vulnerability”

Related Posts