CVE-2026-35052

Critical

Published: 06 April 2026

Published

06 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 31.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code…

execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the flaw through patching to D-Tale version 3.22.0.

SC-14 Public Access Protections good match

prevent

Provides additional safeguards for publicly accessible systems like D-Tale, preventing unauthenticated remote exploitation when hosted publicly with Redis or shelf storage.

SC-7 Boundary Protection good match

prevent

Monitors and controls communications at external boundaries, blocking unauthenticated network access required to exploit the RCE vulnerability.

Security SummaryAI

CVE-2026-35052 is a remote code execution vulnerability in D-Tale, a tool that combines a Flask backend and React frontend for viewing and analyzing Pandas data structures. The issue affects versions prior to 3.22.0 when D-Tale is hosted publicly while using a Redis or shelf storage layer, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and linked to CWE-79.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary malicious code on the server, resulting in high confidentiality, integrity, and availability impacts.

The vulnerability is addressed in D-Tale version 3.22.0. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w.

Details

CWE(s): CWE-79 NVD-CWE-noinfo

Affected Products

man

d-tale

≤ 3.22.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote code execution in a publicly hosted web application (Flask/React) directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w
Vendor Advisory · security-advisories@github.com