Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base._execute_sql_query component.
AnalysisAI
SQL injection in pandas-ai v3.0.0 allows remote code execution through the pandasai.agent.base._execute_sql_query component, enabling attackers to manipulate SQL queries and potentially access, modify, or exfiltrate database contents. No CVSS score, EPSS data, or KEV status is available; however, the vulnerability affects a widely-used data analysis library and publicly available proof-of-concept code exists, elevating real-world risk despite incomplete severity metrics.
Technical ContextAI
pandas-ai is a Python library that integrates large language models (LLMs) with data analysis workflows, allowing natural-language querying of dataframes and databases. The vulnerability exists in the _execute_sql_query method of the pandasai.agent.base module, which handles SQL query execution. The root cause is improper input validation or parameterization when constructing SQL queries, likely resulting from unsanitized LLM-generated or user-supplied input being directly concatenated into SQL statements (CWE-89: SQL Injection). This is a critical integration point where natural-language prompts are converted to database queries, creating a natural attack surface if LLM outputs or intermediate processing steps are not properly escaped or parameterized.
RemediationAI
Immediate remediation requires upgrading pandas-ai to a patched version released by Sinaptik AI; however, no specific patched version number is confirmed in the provided data. Users should monitor the official pandas-ai GitHub repository (https://github.com/sinaptik-ai/pandas-ai) and vendor security advisories for patched release announcements. As an interim mitigation, restrict database query execution to least-privilege database accounts with minimal data access, implement input validation on user-supplied prompts before LLM processing, enforce parameterized queries (prepared statements) throughout the codebase, and disable or sandbox the pandas-ai agent component until a patch is confirmed available. Organizations should also audit database logs for evidence of SQL injection attempts or unusual query patterns.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17959
GHSA-9cxr-vwm6-6vmr