CVE-2026-4998
Published: 28 March 2026
Summary
CVE-2026-4998 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Data Processing Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the code injection vulnerability by requiring validation and sanitization of untrusted chat message inputs to the CodeExecutor.execute function.
Requires timely identification, reporting, and remediation of the specific code injection flaw in PandasAI versions up to 3.0.0.
Implements memory protections such as DEP and ASLR to prevent unauthorized code execution even if malicious code is injected via the Chat Message Handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated code injection in network-accessible PandasAI Chat Message Handler / CodeExecutor directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) for arbitrary code execution in the application context.
NVD Description
A weakness has been identified in Sinaptik AI PandasAI up to 3.0.0. This vulnerability affects the function CodeExecutor.execute of the file pandasai/core/code_execution/code_executor.py of the component Chat Message Handler. Executing a manipulation can lead to code injection. The attack may be…
more
launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4998 is a code injection vulnerability in Sinaptik AI PandasAI versions up to 3.0.0. The issue resides in the CodeExecutor.execute function within the file pandasai/core/code_execution/code_executor.py, part of the Chat Message Handler component. It allows manipulation that leads to arbitrary code execution, as identified by CWEs-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-94 (Improper Control of Generation of Code). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network-accessible nature with low attack complexity and no required privileges.
Attackers can exploit this vulnerability remotely by crafting malicious input to the affected Chat Message Handler, leading to code injection without authentication. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary code in the context of the PandasAI application. No user interaction is needed, making it suitable for automated attacks against exposed instances.
Advisories from VulDB, including entries at vuldb.com/vuln/353885 and vuldb.com/vuln/353885/cti, detail the issue but note no vendor response despite early contact. A public exploit is available at gist.github.com/YLChen-007/78ed1dbcccdb8895adb230dddde3316d, increasing the risk of active attacks. No patches or mitigations are provided by the vendor Sinaptik AI.
This vulnerability is particularly relevant to AI/ML workflows, as PandasAI integrates conversational AI capabilities with pandas dataframes, potentially exposing data processing pipelines in automated analysis environments to remote code execution risks. The public exploit availability heightens the urgency for users to isolate or upgrade affected deployments.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai