Lucene search
+L

159 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-562 vanna vulnerable to remote code execution caused by prompt injection

In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in...

9.8CVSS7.8AI score0.00875EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-561 Vanna prompt injection code execution

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with...

9.2CVSS7.9AI score0.14956EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/27 7:23 p.m.10 views

CVE-2026-6977

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS6.9AI score0.00278EPSS
Exploits0References1
NVD
NVD
added 2026/04/25 11:16 a.m.11 views

CVE-2026-6977

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS0.00278EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/25 10:15 a.m.4 views

CVE-2026-6977

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS6.9AI score0.00278EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/25 10:15 a.m.35 views

CVE-2026-6977

CVE-2026-6977 affects vanna-ai vanna up to 2.0.2, arising from an unknown function in the Legacy Flask API that leads to improper authorization. The vulnerability is exploitable remotely and has been disclosed publicly; exploitation status is indicated as a public disclosure with potential use. T...

7.5CVSS7AI score0.00278EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/25 10:15 a.m.7 views

CVE-2026-6977 vanna-ai vanna Legacy Flask API improper authorization

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS7AI score0.00278EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/25 10:15 a.m.9 views

EUVD-2026-25653

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS6.9AI score0.00278EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/25 10:15 a.m.45 views

CVE-2026-6977 vanna-ai vanna Legacy Flask API improper authorization

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS0.00278EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/25 12:0 a.m.13 views

PT-2026-35147

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

7.5CVSS7AI score0.00278EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/25 12:0 a.m.11 views

Vanna 安全漏洞

Vanna is a personalized AI SQL proxy from Vanna Corporation. Versions of Vanna 2.0.2 and earlier contained security vulnerabilities, which were caused by improper authorization in the Legacy Flask API component. These vulnerabilities could lead to remote attacks...

7.5CVSS7.2AI score0.00278EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/03 5:8 a.m.8 views

CVE-2026-5320

A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is n...

7.5CVSS6.8AI score0.00414EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 5:8 a.m.5 views

CVE-2026-5321

A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been...

5.3CVSS5.5AI score0.00162EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/02 6:31 a.m.6 views

EUVD-2026-18120

A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is n...

7.5CVSS5.6AI score0.00414EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/02 6:31 a.m.7 views

EUVD-2026-18122

A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been...

5.3CVSS5.5AI score0.00162EPSS
Exploits0References5
vulnersOsv
vulnersOsv
added 2026/04/02 6:15 a.m.2 views

cy-ai-trainer (>=0.0.1 <=0.0.2), llama-index-packs-vanna (>=0.0.1 <=0.3.0) +2 more potentially affected by CVE-2026-5320 via vanna (>=0.0.30 <=2.0.2)

vanna PYPI version =0.0.30, =0.0.1, =0.0.1, =1.0.0, =2.0.0 Source cves: CVE-2026-5320 Source advisory: SNYK:PYTHON-VANNA-15873865...

7.5CVSS7.1AI score0.00414EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/02 6:15 a.m.2 views

cy-ai-trainer (>=0.0.1 <=0.0.2), llama-index-packs-vanna (>=0.0.1 <=0.3.0) +2 more potentially affected by CVE-2026-5321 via vanna (>=0.0.30 <=2.0.2)

vanna PYPI version =0.0.30, =0.0.1, =0.0.1, =1.0.0, =2.0.0 Source cves: CVE-2026-5321 Source advisory: SNYK:PYTHON-VANNA-15873866...

5.3CVSS5.4AI score0.00162EPSS
Exploits0
Snyk
Snyk
added 2026/04/02 6:15 a.m.4 views

Permissive Cross-domain Policy with Untrusted Domains

Overview vanna is a Generate SQL queries from natural language Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via CORS misconfiguration in the FastAPI/Flask server components. An attacker can cause unauthorized cross-domain requests by...

5.3CVSS5.9AI score0.00162EPSS
Exploits0References2
NVD
NVD
added 2026/04/02 5:16 a.m.5 views

CVE-2026-5321

A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been...

5.3CVSS0.00162EPSS
Exploits0References4
NVD
NVD
added 2026/04/02 5:16 a.m.6 views

CVE-2026-5320

A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is n...

7.5CVSS0.00414EPSS
Exploits0References4
Rows per page
Query Builder