CVE-2024-5827
CRITICAL EXPLOITED NUCLEIvanna-ai/vanna < latest - SQL Injection via DuckDB Integration
Title source: llmExploitation Summary
CVE-2024-5827 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
Nuclei Templates (1)
Vanna - SQL injection
CRITICALVERIFIEDby olfloralo,nukunga,harksu,nechyo,gy741
FOFA:
body='vanna.ai'
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/e4e64a51-618b-41d0-8f56-1d2146d8825e
Scores
CVSS v3
9.8
EPSS
0.0345
EPSS Percentile
87.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2024-12-05
CWE
CWE-89
Status
published
Products (1)
vanna-ai/vanna-ai/vanna
unspecified - latest
Published
Jun 28, 2024
Tracked Since
Feb 18, 2026