CVE-2024-5565: The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt
highvulnerability
security
Summary
The Vanna library (a tool for generating data visualizations) has a vulnerability where attackers can use prompt injection (tricking an AI by hiding instructions in its input) to alter how the library processes user requests and run arbitrary Python code instead of creating the intended visualization. This happens when external input is sent to the library's 'ask' method with visualization enabled, which is the default setting, leading to remote code execution (attackers being able to run commands on a system they don't own).
Vulnerability Details
CVSS Score
8.1(high)
EPSS (30-day exploit probability)
EPSS: 5.1%
Classification
Attack Type
Prompt Injection
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-5565
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 92%