A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.
Conclusion & alert: CVE-2024-7456 is rated High Exploit Risk (73/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.36%).Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB).Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Public exploit references (Exploit-DB) for CVE-2024-7456
Exploit prediction scoring system (EPSS) score for CVE-2024-7456
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).