VYPR
Critical severity9.8NVD Advisory· Published Jun 28, 2024· Updated Apr 15, 2026

CVE-2024-5827

CVE-2024-5827

Description

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents <?php system($_GET[0]); ?>. This can lead to command execution or the creation of backdoors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Vanna AI/Vannainferred2 versions
    <=0.3.4+ 1 more
    • (no CPE)range: <=0.3.4
    • (no CPE)range: =0.3.4

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.