| |
Vulnerability CVE-2024-5826
Published: 2024-06-27
| Description: |
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server. |
Type:
CWE-94 (Improper Control of Generation of Code ('Code Injection'))
References: |
https://huntr.com/bounties/90620087-44ac-4e43-b659-3c5d30889369
|
|
|
Copyright 2026, cxsecurity.com
|
|
|
