Description
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Injection via exec function
Action: Apply Patch
AI Analysis

Impact

A flaw in the exec function of the vanna repository’s legacy module allows an attacker to inject arbitrary shell commands. The vulnerability is exploitable over the network, enabling remote execution of any command the application runs with its privileges. This can compromise confidentiality, integrity, and availability of systems running affected versions of the application.

Affected Systems

The issue affects the vanna-ai vanna application up to and including version 2.0.2. No newer versions have been confirmed as fixed in the available data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available and the flaw is not listed in the CISA KEV catalog. According to the public disclosure, attackers can trigger the injection remotely by supplying malicious input to the /src/vanna/legacy exec route, leading to arbitrary command execution.

Generated by OpenCVE AI on March 21, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update vanna to a version newer than 2.0.2 or apply the vendor’s patch if released
  • If a patch is not available, restrict network exposure to the affected service and implement a firewall rule to block unwanted inbound traffic
  • Enable audit logging for command execution to detect suspicious activity
  • Regularly monitor the vendor’s security advisories for updates

Generated by OpenCVE AI on March 21, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Vanna-ai
Vanna-ai vanna
Vendors & Products Vanna-ai
Vanna-ai vanna

Sat, 21 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title vanna-ai vanna legacy exec injection
Weaknesses CWE-707
CWE-74
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vanna-ai Vanna
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:40:15.990Z

Reserved: 2026-03-20T14:28:39.762Z

Link: CVE-2026-4511

cve-icon Vulnrichment

Updated: 2026-03-23T16:21:43.052Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T09:16:01.017

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:16Z

Weaknesses