CVE-2024-12366
CRITICALPandasAI - Remote Code Execution via Prompt Injection
Title source: llmDescription
PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.
References (3)
Core 3
Core References
Various Sources
https://docs.getpanda.ai/v3/privacy-security
Various Sources
https://docs.pandas-ai.com/advanced-security-agent
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/148244
Scores
CVSS v3
9.8
EPSS
0.0590
EPSS Percentile
90.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
Status
published
Products (2)
pypi/pandasai
0PyPI
Sinaptik AI/PandasAI
2.4.0
Published
Feb 11, 2025
Tracked Since
Feb 18, 2026