PT-2026-25640 · Vanna-Ai · Vanna
Eric-Y
+1
·
Published
2026-03-16
·
Updated
2026-03-16
·
CVE-2026-4230
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
vanna-ai vanna versions up to 2.0.2
Description
A flaw exists in the
update sql function within the src/vanna/legacy/flask/ init .py file of the Endpoint component. This issue allows for SQL injection, and can be exploited remotely. The exploit has been publicly disclosed. The vendor was informed of this disclosure but did not respond.Recommendations
Versions prior to 2.0.2 should be updated. As a temporary workaround, consider restricting access to the
update sql() function until a patch is available.Exploit
Fix
SQL injection
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vanna