CVE-2026-4996

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Sinaptik AI PandasAI versions up to 0.1.4

Description A SQL injection issue exists in the pandasai-lancedb Extension within Sinaptik AI PandasAI. The issue is located in the file extensions/ee/vectorstores/lancedb/pandasai lancedb/lancedb.py and affects the following functions: delete question and answers, delete docs, update question answer, update docs, get relevant question answers by id, and get relevant docs by id. This manipulation can be launched remotely and the exploit is publicly available.

Recommendations Versions prior to 0.1.4 should be updated. As a temporary workaround, consider restricting access to the pandasai-lancedb Extension to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2026-4996

Affected Products

Pandasai

Pandasai-Lancedb

CVE-2026-4996

Weakness Enumeration

Related Identifiers

Affected Products

References · 6