Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

vanna-ai — Vulnerabilities & Security Advisories 15

Browse all 15 CVE security advisories affecting vanna-ai. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Vanna-ai is an AI-powered tool designed to assist developers with SQL query generation and database interaction. Historically, the platform has been susceptible to multiple vulnerability classes, including remote code execution (RCE), cross-site scripting (XSS), and privilege escalation, with 15 CVEs documented to date. These vulnerabilities often stem from improper input validation and insecure API endpoints. While no major public security incidents have been reported, the consistent discovery of flaws suggests potential risks for organizations implementing the tool without proper hardening. Users should remain vigilant about applying security patches and implementing least privilege principles when integrating this AI assistant into development workflows.

Top products by vanna-ai: vanna vanna-ai/vanna
CVE IDTitleCVSSSeverityPublished
CVE-2026-6977 vanna-ai vanna Legacy Flask API improper authorization — vannaCWE-285 7.3 High2026-04-25
CVE-2026-5321 vanna-ai vanna FastAPI/Flask Server cross-domain policy — vannaCWE-942 4.3 Medium2026-04-02
CVE-2026-5320 vanna-ai vanna Chat API Endpoint v2 missing authentication — vannaCWE-306 7.3 High2026-04-02
CVE-2026-4513 vanna-ai vanna base.py ask sql injection — vannaCWE-89 6.3 Medium2026-03-21
CVE-2026-4511 vanna-ai vanna legacy exec injection — vannaCWE-74 6.3 Medium2026-03-21
CVE-2026-4231 vanna-ai vanna Endpoint __init__.py run_sql server-side request forgery — vannaCWE-918 7.3 High2026-03-16
CVE-2026-4230 vanna-ai vanna Endpoint __init__.py update_sql sql injection — vannaCWE-89 6.3 Medium2026-03-16
CVE-2026-4229 vanna-ai vanna bigquery_vector.py remove_training_data sql injection — vannaCWE-89 7.3 High2026-03-16
CVE-2024-7764 SQL Injection in vanna-ai/vanna — vanna-ai/vannaCWE-89 9.8 -2025-03-20
CVE-2024-8055 Local File Read (LFI) by Prompt Injection via SnowFlake SQL in vanna-ai/vanna — vanna-ai/vannaCWE-89 9.1 -2025-03-20
CVE-2024-6841 CSRF in vanna-ai/vanna — vanna-ai/vannaCWE-352 8.8 -2025-03-20
CVE-2024-8099 Server-Side Request Forgery (SSRF) in vanna-ai/vanna — vanna-ai/vannaCWE-918 9.1 -2025-03-20
CVE-2024-5753 Local File Read (LFI) by Prompt Injection via Postgres SQL in vanna-ai/vanna — vanna-ai/vannaCWE-89 9.1AICriticalAI2024-07-05
CVE-2024-5827 Arbitrary File Write by Prompt Injection via DuckDB SQL in vanna-ai/vanna — vanna-ai/vannaCWE-89 9.8AICriticalAI2024-06-28
CVE-2024-5826 Remote Code Execution via Prompt Injection in vanna-ai/vanna — vanna-ai/vannaCWE-94 9.8AICriticalAI2024-06-27

This page lists every published CVE security advisory associated with vanna-ai. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.