Vanna-Ai Vanna vulnerabilities
11 known vulnerabilities affecting vanna-ai/vanna.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2024-5565P2CRITICAL≥ 0, ≤ 0.5.52024-05-31
CVE-2024-5565 [CRITICAL] CWE-77 Vanna prompt injection code execution
Vanna prompt injection code execution
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.
ghsaosv
CVE-2024-5826P2CRITICAL≥ 0, ≤ 0.6.22024-06-27
CVE-2024-5826 [CRITICAL] CWE-94 vanna vulnerable to remote code execution caused by prompt injection
vanna vulnerable to remote code execution caused by prompt injection
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability
ghsaosv
CVE-2026-5320P3HIGHCVSS 7.3v2.0.0v2.0.1+1 more2026-04-02
CVE-2026-5320 [HIGH] CWE-287 CVE-2026-5320: A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unk
A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early
nvd
CVE-2026-6977P3HIGHCVSS 7.3v2.0.0v2.0.1+1 more2026-04-25
CVE-2026-6977 [HIGH] CWE-266 CVE-2026-6977: A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this discl
nvd
CVE-2026-4231P3HIGHCVSS 7.3v2.0.0v2.0.1+1 more2026-03-16
CVE-2026-4231 [HIGH] CWE-918 CVE-2026-4231: A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the funct
A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function update_sql/run_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. Th
nvd
CVE-2024-5753P3HIGH≥ 0, ≤ 0.3.42024-07-05
CVE-2024-5753 [HIGH] CWE-200 Vanna vulnerable to SQL Injection
Vanna vulnerable to SQL Injection
vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.
ghsaosv
CVE-2026-4229P3HIGHCVSS 7.3v2.0.0v2.0.1+1 more2026-03-16
CVE-2026-4229 [HIGH] CWE-74 CVE-2026-4229: A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data
A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but
ghsanvdosv
CVE-2026-4230P3MEDIUMCVSS 6.3v2.0.0v2.0.1+1 more2026-03-16
CVE-2026-4230 [MEDIUM] CWE-74 CVE-2026-4230: A vulnerability has been found in vanna-ai vanna up to 2.0.2. Affected is the function update_sql of
A vulnerability has been found in vanna-ai vanna up to 2.0.2. Affected is the function update_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this
nvd
CVE-2026-4511P3MEDIUMCVSS 6.3v2.0.0v2.0.1+1 more2026-03-21
CVE-2026-4511 [MEDIUM] CWE-74 CVE-2026-4511: A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function e
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd
CVE-2026-4513P3MEDIUMCVSS 6.3v2.0.0v2.0.1+1 more2026-03-21
CVE-2026-4513 [MEDIUM] CWE-74 CVE-2026-4513: A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the fu
A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function ask of the file vanna\legacy\base\base.py. Performing a manipulation results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but d
nvd
CVE-2026-5321P4MEDIUMCVSS 4.3v2.0.0v2.0.1+1 more2026-04-02
CVE-2026-5321 [MEDIUM] CWE-346 CVE-2026-5321: A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown function
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early
nvd