VYPR

PyPI package

vanna

pkg:pypi/vanna

Vulnerabilities (4)

  • CVE-2026-4229HigMar 16, 2026
    affected <= 2.0.2

    A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publis

  • CVE-2024-5753HigJul 5, 2024
    affected <= 0.3.4

    vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by explo

  • CVE-2024-5826CriJun 27, 2024
    affected <= 0.6.2

    In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function

  • CVE-2024-5565HigMay 31, 2024
    affected <= 0.5.5

    The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask”