Browse all 15 CVE security advisories affecting vanna-ai. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Vanna-ai is an AI-powered tool designed to assist developers with SQL query generation and database interaction. Historically, the platform has been susceptible to multiple vulnerability classes, including remote code execution (RCE), cross-site scripting (XSS), and privilege escalation, with 15 CVEs documented to date. These vulnerabilities often stem from improper input validation and insecure API endpoints. While no major public security incidents have been reported, the consistent discovery of flaws suggests potential risks for organizations implementing the tool without proper hardening. Users should remain vigilant about applying security patches and implementing least privilege principles when integrating this AI assistant into development workflows.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-6977 | vanna-ai vanna Legacy Flask API improper authorization — vannaCWE-285 | 7.3 | High | 2026-04-25 |
| CVE-2026-5321 | vanna-ai vanna FastAPI/Flask Server cross-domain policy — vannaCWE-942 | 4.3 | Medium | 2026-04-02 |
| CVE-2026-5320 | vanna-ai vanna Chat API Endpoint v2 missing authentication — vannaCWE-306 | 7.3 | High | 2026-04-02 |
| CVE-2026-4513 | vanna-ai vanna base.py ask sql injection — vannaCWE-89 | 6.3 | Medium | 2026-03-21 |
| CVE-2026-4511 | vanna-ai vanna legacy exec injection — vannaCWE-74 | 6.3 | Medium | 2026-03-21 |
| CVE-2026-4231 | vanna-ai vanna Endpoint __init__.py run_sql server-side request forgery — vannaCWE-918 | 7.3 | High | 2026-03-16 |
| CVE-2026-4230 | vanna-ai vanna Endpoint __init__.py update_sql sql injection — vannaCWE-89 | 6.3 | Medium | 2026-03-16 |
| CVE-2026-4229 | vanna-ai vanna bigquery_vector.py remove_training_data sql injection — vannaCWE-89 | 7.3 | High | 2026-03-16 |
This page lists every published CVE security advisory associated with vanna-ai. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.