PT-2026-28714 · Sinaptik Ai · Pandasai+1

Eric-B

Publicado

2026-03-28

Atualizado

2026-03-29

CVE-2026-4996

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Sinaptik AI PandasAI versions up to 0.1.4

Description A SQL injection issue exists in the pandasai-lancedb Extension within Sinaptik AI PandasAI. The issue is located in the file extensions/ee/vectorstores/lancedb/pandasai lancedb/lancedb.py and affects the following functions: delete question and answers, delete docs, update question answer, update docs, get relevant question answers by id, and get relevant docs by id. This manipulation can be launched remotely and the exploit is publicly available.

Recommendations Versions prior to 0.1.4 should be updated. As a temporary workaround, consider restricting access to the pandasai-lancedb Extension to minimize the risk of exploitation.

Exploit

Correção

Special Elements Injection

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-74CWE-89

Identificadores relacionados

CVE-2026-4996

Produtos afetados

Pandasai

Pandasai-Lancedb

PT-2026-28714 · Sinaptik Ai · Pandasai+1

CVE-2026-4996

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6