CVE-2026-5321
published 2026-04-02CVE-2026-5321: A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a…
PriorityP424medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.16%
5.8th percentile
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jstedfast | mimekit | >= 0 < 4.15.1 | 4.15.1 |
| phpmyfaq | phpmyfaq | >= 0 < 4.1.1 | 4.1.1 |
| thorsten | phpmyfaq | >= 0 < 4.1.1 | 4.1.1 |
| vanna-ai | vanna | — | — |
| vanna-ai | vanna | — | — |
| vanna-ai | vanna | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fp27-q2f5-phx3: A flaw has been found in vanna-ai vanna up to 2
ghsa_unreviewed·2026-04-02
CVE-2026-5321 [MEDIUM] CWE-346 GHSA-fp27-q2f5-phx3: A flaw has been found in vanna-ai vanna up to 2
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
GHSA
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
ghsa·2026-03-31
CVE-2026-32629 [MEDIUM] CWE-20 phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor
### Summary
An unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example "alert(1)"@evil.com. PHP's FILTER_VALIDATE_EMAIL accepts this email as valid. The email is stored in the database without HTML sanitization and later rendered in the admin FAQ editor template using Twig's |raw filter, which bypasses auto-escaping entirely.
### Details
1. PHP FILTER_VALIDATE_EMAIL accepts RFC-valid quoted local parts with dangerous characters
phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php:99
$email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));
PHP accepts "alert(1)"
GHSA
MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery
ghsa·2026-03-05
CVE-2026-30227 [MEDIUM] CWE-93 MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery
MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery
### Summary
A CRLF Injection vulnerability in MimeKit 4.15.0 allows an attacker to embed `\r\n` into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional `RCPT TO` / `DATA` / `RSET` commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a `MailboxAddress` (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session.
RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-02
Published