pandas is vulnerable to SQL Injection
25
Low Risk
The ADBCDatabase class in pandas/io/sql.py builds SQL statements by interpolating table and schema identifiers directly into query strings without quoting or escaping. When an application passes untrusted identifiers to read_sql_table, to_sql, or delete_rows over an ADBC connection, the read_table (SELECT), to_sql (DROP TABLE), and delete_rows (DELETE FROM) paths can execute attacker-controlled SQL instead of treating the value as a literal identifier. The SQLite path already quoted identifiers, but the ADBC path had no equivalent escaping when ADBC support was added. The fix adds a _quote_identifier helper that applies ANSI SQL double-quote escaping and quotes identifiers at all three call sites.
You are affected if you are using a version that falls within the vulnerable range and pass untrusted table or schema identifiers to pandas SQL functions that use an ADBC connection.
pandas is vulnerable to SQL Injection in versions 2.2.0 - 3.0.3.
Upgrade the pandas library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant