CVE-2026-4997: Path Traversal in Sinaptik AI PandasAI
A security flaw has been discovered in Sinaptik AI PandasAI up to 3.0.0. This affects the function is_sql_query_safe of the file pandasai/helpers/sql_sanitizer.py. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
Sinaptik AI PandasAI up to version 3.0.0 contains a path traversal vulnerability in the is_sql_query_safe function located in pandasai/helpers/sql_sanitizer.py. This vulnerability allows an unauthenticated remote attacker to manipulate input to traverse file system paths, potentially accessing unauthorized files. The vulnerability is identified as CVE-2026-4997 with a CVSS 4.0 score of 6.9 (medium severity). The vendor was notified but has not issued a response or patch. Public exploit code is available, increasing the risk of exploitation.
Potential Impact
Successful exploitation of this vulnerability could allow remote attackers to access or read files outside the intended directory structure of the application, potentially exposing sensitive information. However, there is no indication of privilege escalation or code execution. The impact is limited to information disclosure via path traversal.
Mitigation Recommendations
No official patch or fix is currently available from the vendor. Users should monitor the vendor's communications for updates. Until a fix is released, consider restricting network access to the affected application and applying compensating controls such as input validation or sandboxing to limit the impact of path traversal attempts.
CVE-2026-4997: Path Traversal in Sinaptik AI PandasAI
Description
A security flaw has been discovered in Sinaptik AI PandasAI up to 3.0.0. This affects the function is_sql_query_safe of the file pandasai/helpers/sql_sanitizer.py. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sinaptik AI PandasAI up to version 3.0.0 contains a path traversal vulnerability in the is_sql_query_safe function located in pandasai/helpers/sql_sanitizer.py. This vulnerability allows an unauthenticated remote attacker to manipulate input to traverse file system paths, potentially accessing unauthorized files. The vulnerability is identified as CVE-2026-4997 with a CVSS 4.0 score of 6.9 (medium severity). The vendor was notified but has not issued a response or patch. Public exploit code is available, increasing the risk of exploitation.
Potential Impact
Successful exploitation of this vulnerability could allow remote attackers to access or read files outside the intended directory structure of the application, potentially exposing sensitive information. However, there is no indication of privilege escalation or code execution. The impact is limited to information disclosure via path traversal.
Mitigation Recommendations
No official patch or fix is currently available from the vendor. Users should monitor the vendor's communications for updates. Until a fix is released, consider restricting network access to the affected application and applying compensating controls such as input validation or sandboxing to limit the impact of path traversal attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-03-27T13:48:11.424Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c7ceb42b68dbd88ef8dca7
Added to database: 3/28/2026, 12:51:00 PM
Last enriched: 4/5/2026, 10:51:33 AM
Last updated: 5/12/2026, 11:43:16 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.