lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., xa0). This vulnerability can be exploited to conduct phishing attacks, damage the applications brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage.
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lunary | Lunary | 1.2.26 (including) | 1.2.26 (including) |