PYSEC-2026-562

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/vanna/PYSEC-2026-562.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-562
Aliases
Published
2026-06-29T11:50:42.052160Z
Modified
2026-06-29T12:15:10.274069961Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vanna vulnerable to remote code execution caused by prompt injection
Details

In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in src/vanna/base/base.py. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.

References

Affected packages

PyPI / vanna

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.6.2

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.1.0
0.1.1
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.6.1
0.6.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/vanna/PYSEC-2026-562.yaml"