CVE-2025-5352 – “Lunary Analytics NEXT_PUBLIC_CUSTOM_SCRIPT Stored XSS Vulnerability”

August 23, 2025

CVE ID : CVE-2025-5352

Published : Aug. 23, 2025, 7:15 a.m. | 17 hours, 54 minutes ago

Description : A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users’ browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-9358 – Linksys RE Series Stack-Based Buffer Overflow

Next Article CVE-2025-5821 – “WordPress Case Theme User Plugin Authentication Bypass”

Highlights

CVE-2025-37832 – Allwinner cpufreq sun50i Linux Kernel Out-of-Bounds Read Vulnerability

May 8, 2025

CVE ID : CVE-2025-37832

Published : May 8, 2025, 7:15 a.m. | 58 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

cpufreq: sun50i: prevent out-of-bounds access

A KASAN enabled kernel reports an out-of-bounds access when handling the
nvmem cell in the sun50i cpufreq driver:
==================================================================
BUG: KASAN: slab-out-of-bounds in sun50i_cpufreq_nvmem_probe+0x180/0x3d4
Read of size 4 at addr ffff000006bf31e0 by task kworker/u16:1/38

This is because the DT specifies the nvmem cell as covering only two
bytes, but we use a u32 pointer to read the value. DTs for other SoCs
indeed specify 4 bytes, so we cannot just shorten the variable to a u16.

Fortunately nvmem_cell_read() allows to return the length of the nvmem
cell, in bytes, so we can use that information to only access the valid
portion of the data.
To cover multiple cell sizes, use memcpy() to copy the information into a
zeroed u32 buffer, then also make sure we always read the data in little
endian fashion, as this is how the data is stored in the SID efuses.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Intel Arc graphics driver update improves “performance and frame pacing” on MSI Claw handhelds with Core Ultra 200V chips

April 11, 2025

CVE-2025-5540 – WordPress Event RSVP and Simple Event Management Plugin Stored Cross-Site Scripting Vulnerability

June 26, 2025

Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324)

April 29, 2025

A Week In The Life Of An AI-Augmented Designer

This week in AI updates: Gemini Code Assist Agent Mode, GitHub’s Agents panel, and more (August 22, 2025)

Microsoft adds Copilot-powered debugging features for .NET in Visual Studio

Blackstone portfolio company R Systems Acquires Novigo Solutions, Strengthening its Product Engineering and Full-Stack Agentic-AI Capabilities

The best AirTag alternative for Samsung users is currently 30% off

One of the biggest new features on the Google Pixel 10 is also one of the most overlooked

I tested these viral ‘crush-proof’ Bluetooth speakers, and they’re not your average portables

I compared the best smartwatches from Google and Apple – and there’s a clear winner

MongoDB Data Types

MongoDB Data Types

Building Cross-Platform Alerts with Laravel’s Notification Framework

Add Notes Functionality to Eloquent Models With the Notable Package

Microsoft nags more users with Windows 10 end of life banner, says get Windows 11

Microsoft nags more users with Windows 10 end of life banner, says get Windows 11

Hate Windows 11? Windows 10’s extended updates Enroll button is slowly rolling out, says Microsoft

Firefox Web App Support Available to Test (on Windows, At Least)

CVE-2025-5352 – “Lunary Analytics NEXT_PUBLIC_CUSTOM_SCRIPT Stored XSS Vulnerability”

CVE-2025-8208 – Spexo Addons for Elementor WordPress Stored Cross-Site Scripting

CVE-2025-9379 – “Belkin AX1800 Firmware Update Handler Remote Authentication Bypass”

CVE-2025-47937 – TYPO3 Table Query Privilege Escalation Vulnerability

7 Best ChatGPT Alternatives

This iOS 26 feature makes the iPhone 17 Air a more reasonable upgrade for me

CVE-2025-40624 – TCMAN’s GIM SQL Injection Vulnerability

CVE-2025-37832 – Allwinner cpufreq sun50i Linux Kernel Out-of-Bounds Read Vulnerability

Intel Arc graphics driver update improves “performance and frame pacing” on MSI Claw handhelds with Core Ultra 200V chips

CVE-2025-5540 – WordPress Event RSVP and Simple Event Management Plugin Stored Cross-Site Scripting Vulnerability

Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324)

CVE-2025-5352 – “Lunary Analytics NEXT_PUBLIC_CUSTOM_SCRIPT Stored XSS Vulnerability”

Related Posts