{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5321", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T13:00:12.749Z", "datePublished": "2026-04-02T04:45:11.472Z", "dateUpdated": "2026-04-02T18:30:05.222Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T04:45:11.472Z"}, "title": "vanna-ai vanna FastAPI/Flask Server cross-domain policy", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-942", "lang": "en", "description": "Permissive Cross-domain Policy with Untrusted Domains"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "Origin Validation Error"}]}], "affected": [{"vendor": "vanna-ai", "product": "vanna", "versions": [{"version": "2.0.0", "status": "affected"}, {"version": "2.0.1", "status": "affected"}, {"version": "2.0.2", "status": "affected"}], "modules": ["FastAPI/Flask Server"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T15:05:20.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu_Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354653", "name": "VDB-354653 | vanna-ai vanna FastAPI/Flask Server cross-domain policy", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/354653/cti", "name": "VDB-354653 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780729", "name": "Submit #780729 | vanna-ai vanna 2.0.2 CORS Origin Reflection with Credentials", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/14", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:29:53.542419Z", "id": "CVE-2026-5321", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:30:05.222Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5321", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T13:00:12.749Z", "datePublished": "2026-04-02T04:45:11.472Z", "dateUpdated": "2026-04-02T18:30:05.222Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T04:45:11.472Z"}, "title": "vanna-ai vanna FastAPI/Flask Server cross-domain policy", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-942", "lang": "en", "description": "Permissive Cross-domain Policy with Untrusted Domains"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "Origin Validation Error"}]}], "affected": [{"vendor": "vanna-ai", "product": "vanna", "versions": [{"version": "2.0.0", "status": "affected"}, {"version": "2.0.1", "status": "affected"}, {"version": "2.0.2", "status": "affected"}], "modules": ["FastAPI/Flask Server"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T15:05:20.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu_Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354653", "name": "VDB-354653 | vanna-ai vanna FastAPI/Flask Server cross-domain policy", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/354653/cti", "name": "VDB-354653 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780729", "name": "Submit #780729 | vanna-ai vanna 2.0.2 CORS Origin Reflection with Credentials", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/14", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T18:29:53.542419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:29:58.495Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5321", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T05:16:05.010", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/August829/CVEP/issues/14"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780729"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354653"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354653/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-942"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vanna", "source": "cna", "vendor": "vanna-ai"}, "product": "vanna", "vendor": "vanna-ai"}], "analysis": {"en": {"generated_at": "2026-04-02T10:26:09.758073+00:00", "value": {"mitigation_remediation": ["Check vanna release notes or the vendor\u2019s website for a patched version that fixes the CORS issue; apply the upgrade if available.", "If no updated package exists, modify the FastAPI/Flask configuration to disallow wildcard origins by setting a strict list of allowed origins or removing the permissive policy.", "Add validation of the Origin header to ensure only trusted domains can receive responses, rejecting any requests with untrusted origins.", "Restrict network exposure of the affected endpoints by implementing firewalls or network segmentation to limit access to trusted networks.", "Monitor application logs for unusual cross-origin requests and investigate any suspicious activity."], "summary": {"action": "Patch", "impact": "Cross-origin data exposure"}, "threat_synthesis": {"affected_systems": "All installations of vanna containing the FastAPI/Flask server component through version 2.0.2 are affected. No other product versions are mentioned.", "description_and_impact": "A flaw in vanna up to version 2.0.2 allows manipulation of its FastAPI/Flask server configuration, resulting in a permissive CORS policy that permits untrusted domains. This can enable malicious web origins to access the API and sensitive data, leading to potential data leakage or unauthorized interactions.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate risk; the flaw is exploitable remotely with no local access required. The vulnerability has published exploits, implying it can be triggered from an external network. Attackers likely exploit it by sending specially crafted requests that configure the server to allow cross-origin requests from arbitrary domains."}}}}, "created": "2026-04-02T20:15:45.422952+00:00", "updated": "2026-04-02T20:22:21.052206+00:00", "vendors": ["vanna-ai", "vanna-ai$PRODUCT$vanna"]}