| शीर्षक | Vanna AI Vanna 2.0.2 Direct SQL Injection via Legacy Flask API in Vanna |
|---|
| विवरण | Vanna <= 2.0.2 contains a direct SQL injection vulnerability in its legacy Flask API. The `/api/v0/update_sql` endpoint allows an unauthenticated attacker to store arbitrary SQL statements in the server-side cache, and the `/api/v0/run_sql` endpoint retrieves and executes them directly against the connected database without any validation or parameterization. Combined with the default `NoAuth()` authentication (which requires no credentials), this creates a complete unauthenticated remote SQL injection chain that does not depend on LLM behavior. |
|---|
| स्रोत | ⚠️ https://github.com/yidaozhongqing/York/issues/1 |
|---|
| उपयोगकर्ता | York Shen (UID 97025) |
|---|
| सबमिशन | 02/04/2026 09:30 AM (26 दिन पहले) |
|---|
| संयम | 24/04/2026 08:47 PM (22 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 351153 [vanna-ai vanna तक 2.0.2 Endpoint __init__.py update_sql SQL इंजेक्शन] |
|---|
| अंक | 0 |
|---|