{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-07-01T00:17:21.445","vulnerabilities":[{"cve":{"id":"CVE-2024-6841","sourceIdentifier":"security@huntr.dev","published":"2025-03-20T10:15:33.867","lastModified":"2026-06-17T08:18:48.930","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A Cross-Site Request Forgery (CSRF) vulnerability exists in the latest commit (56b782bcefd2e59b19cd7ba7878b95f54884f502) of the vanna-ai/vanna repository. Two endpoints in the built-in web app that provide SQL functionality are implemented as simple GET requests, making them susceptible to CSRF attacks. This vulnerability allows an attacker to run arbitrary SQL commands via CSRF without the target intending to expose the web app to the network or other users. The impact is limited to data alteration or deletion, as the attacker cannot read the results of the query."},{"lang":"es","value":"Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el último commit (56b782bcefd2e59b19cd7ba7878b95f54884f502) del repositorio vanna-ai/vanna. Dos endpoints de la aplicación web integrada que proporcionan funcionalidad SQL se implementan como solicitudes GET simples, lo que los hace vulnerables a ataques CSRF. Esta vulnerabilidad permite a un atacante ejecutar comandos SQL arbitrarios mediante CSRF sin que el objetivo pretenda exponer la aplicación web a la red ni a otros usuarios. El impacto se limita a la alteración o eliminación de datos, ya que el atacante no puede leer los resultados de la consulta."}],"affected":[{"source":"security@huntr.dev","affectedData":[{"vendor":"vanna-ai","product":"vanna-ai/vanna","versions":[{"version":"unspecified","lessThanOrEqual":"latest","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-03-20T17:49:16.031033Z","id":"CVE-2024-6841","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"references":[{"url":"https://huntr.com/bounties/7c6cf388-6399-4e37-99f6-3f052eb1136e","source":"security@huntr.dev"}]}}]}