cbcvebase.

Man-Group Dtale vulnerabilities

9 known vulnerabilities affecting man-group/dtale.

Total CVEs
9
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL5HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2024-3408P1HIGHExploitedPoC≥ 0, ≤ 3.10.02024-06-06
CVE-2024-3408 [HIGH] CWE-20 Authentication bypass in dtale Authentication bypass in dtale man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute ar
ghsaosv
CVE-2024-55890P1MEDIUMCVSS 6.9ExploitedPoCfixed in 3.16.12024-12-13
CVE-2024-55890 [MEDIUM] CWE-79 CVE-2024-55890: D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale pub D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag
ghsanvdosv
CVE-2026-27194P2CRITICALCVSS 9.8fixed in 3.20.02026-02-21
CVE-2026-27194 [CRITICAL] CWE-74 CVE-2026-27194: D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
ghsanvdosv
CVE-2026-35052P2CRITICALCVSS 9.8fixed in 3.22.02026-04-06
CVE-2026-35052 [CRITICAL] CWE-79 CVE-2026-35052: D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data st D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.
ghsanvdosv
CVE-2024-8862P2MEDIUM≥ 0, < 3.14.12024-09-16
CVE-2024-8862 [MEDIUM] CWE-74 D-Tale Command Execution Vulnerability D-Tale Command Execution Vulnerability D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/"), the query parameters from the request are directly passed into run_query for execution. And the run_query function calls proceed without performing any processing or sanitization of the query
ghsaosv
CVE-2024-45595P2CRITICALCVSS 9.8fixed in 3.14.12024-09-10
CVE-2024-45595 [CRITICAL] CWE-79 CVE-2024-45595: D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable t D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
ghsanvdosv
CVE-2023-46134P2CRITICALCVSS 9.8fixed in 3.7.02023-10-25
CVE-2023-46134 [CRITICAL] CWE-79 CVE-2023-46134: D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data st D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by d
ghsanvdosv
CVE-2024-21642P3HIGHCVSS 7.5fixed in 3.9.02024-01-05
CVE-2024-21642 [HIGH] CWE-918 CVE-2024-21642: D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publ D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier
ghsanvdosv
CVE-2025-0655CRITICALPoC≥ 0, < 3.17.02025-03-20
CVE-2025-0655 [CRITICAL] CWE-77 Duplicate Advisory: D-Tale Command Injection vulnerability Duplicate Advisory: D-Tale Command Injection vulnerability ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-832w-fhmw-w4f4. This link is maintained to preserve external references. ## Original Description A vulnerability in man-group/dtale versions 3.15.1 allows an attacker to override global state settings to enable the `enable_custom_filters` feature, which is ty
ghsa
Man-Group Dtale vulnerabilities | cvebase