A stored XSS vulnerability exists in the Analytics component of lunary-ai/lunary where NEXT_PUBLIC_CUSTOM_SCRIPT is injected into the DOM using dangerouslySetInnerHTML without sanitization. An attacker controlling this variable during deployment or via server compromise can run arbitrary JavaScript in all users’ browsers.
None