Description
D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/man-group/dtale/security/advisories/GHSA-c87c-78rc-vmv2
Scores
CVSS v3
9.8
EPSS
0.0015
EPSS Percentile
34.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (2)
man/d-tale
< 3.19.1
pypi/dtale
0 - 3.20.0PyPI
Published
Feb 21, 2026
Tracked Since
Feb 21, 2026