vanna-ai vanna FastAPI/Flask Server cross-domain policy_CVE-2026-5321

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-5321

Source VulDB

Published Apr 2, 2026 at 04:45

Modified Apr 2, 2026 at 18:30

Affected Product

Vendor vanna-ai

Product vanna

Version 2.0.0

Affected Versions vanna-ai vanna 2.0.0
vanna-ai vanna 2.0.1
vanna-ai vanna 2.0.2

CWE Classification

CWE-942 CWE-346

References

{
    "lastseen": "",
    "description": "A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-04-02T04:45:11.472Z",
    "modified": "2026-04-02T18:30:05.222Z",
    "type": "cve",
    "title": "vanna-ai vanna FastAPI/Flask Server cross-domain policy",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/354653\nhttps://vuldb.com/vuln/354653/cti\nhttps://vuldb.com/submit/780729\nhttps://github.com/August829/CVEP/issues/14",
    "id": "CVE-2026-5321",
    "bulletinFamily": "",
    "cwe": [
        "CWE-942",
        "CWE-346"
    ],
    "cvelist": null,
    "sourceData": "vanna-ai vanna 2.0.0\nvanna-ai vanna 2.0.1\nvanna-ai vanna 2.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vanna",
    "version": "2.0.0",
    "vendor": "vanna-ai",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}