High severity8.1NVD Advisory· Published May 31, 2024· Updated Apr 15, 2026

CVE-2024-5565

Description

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
vannaPyPI	<= 0.5.5	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7735-w2jp-gvg6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-5565ghsaADVISORY
research.jfrog.com/vulnerabilities/vanna-prompt-injection-rce-jfsa-2024-001034449ghsaWEB
research.jfrog.com/vulnerabilities/vanna-prompt-injection-rce-jfsa-2024-001034449/nvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000