CVE-2024-12366

critical

Description

PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.

References

https://kb.cert.org/vuls/id/148244

https://www.kb.cert.org/vuls/id/148244

https://docs.pandas-ai.com/advanced-security-agent

https://docs.getpanda.ai/v3/privacy-security

Details

Source: Mitre, NVD

Published: 2025-02-11

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00329