Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9 vulnerabilities by man-group
CVE-2026-35052 (GCVE-0-2026-35052)
Vulnerability from cvelistv5 – Published: 2026-04-06 17:32 – Updated: 2026-04-07 15:59
VLAI
Title
D-Tale affected by Remote Code Execution through redis/shelf storage
Summary
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/man-group/dtale/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T15:18:40.362469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:59:35.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is the combination of a Flask back-end and a React front-end to view \u0026 analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T17:32:28.227Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w"
}
],
"source": {
"advisory": "GHSA-436g-fhfc-9g5w",
"discovery": "UNKNOWN"
},
"title": "D-Tale affected by Remote Code Execution through redis/shelf storage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35052",
"datePublished": "2026-04-06T17:32:28.227Z",
"dateReserved": "2026-03-31T21:06:06.429Z",
"dateUpdated": "2026-04-07T15:59:35.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27194 (GCVE-0-2026-27194)
Vulnerability from cvelistv5 – Published: 2026-02-21 04:25 – Updated: 2026-02-24 18:58
VLAI
Title
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint
Summary
D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/man-group/dtale/security/advis… | x_refsource_CONFIRM |
| https://github.com/man-group/dtale/commit/431c614… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T18:58:04.663609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T18:58:24.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T04:25:38.628Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-c87c-78rc-vmv2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-c87c-78rc-vmv2"
},
{
"name": "https://github.com/man-group/dtale/commit/431c6148d3c799de20e1dec86c4432f48e3d0746",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/431c6148d3c799de20e1dec86c4432f48e3d0746"
}
],
"source": {
"advisory": "GHSA-c87c-78rc-vmv2",
"discovery": "UNKNOWN"
},
"title": "D-Tale affected by Remote Code Execution through the /save-column-filter endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27194",
"datePublished": "2026-02-21T04:25:38.628Z",
"dateReserved": "2026-02-18T19:47:02.154Z",
"dateUpdated": "2026-02-24T18:58:24.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0655 (GCVE-0-2025-0655)
Vulnerability from cvelistv5 – Published: 2025-03-20 10:11 – Updated: 2025-04-15 15:57
VLAI
** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-55890. Notes: All CVE users should reference CVE-2024-55890 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-04-15T15:57:29.661Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-55890. Notes: All CVE users should reference CVE-2024-55890 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
],
"value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-55890. Notes: All CVE users should reference CVE-2024-55890 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-0655",
"datePublished": "2025-03-20T10:11:12.681Z",
"dateRejected": "2025-04-15T15:57:29.661Z",
"dateReserved": "2025-01-22T18:15:59.356Z",
"dateUpdated": "2025-04-15T15:57:29.661Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9016 (GCVE-0-2024-9016)
Vulnerability from cvelistv5 – Published: 2025-03-20 10:09 – Updated: 2025-04-15 15:51
VLAI
** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-45595. Notes: All CVE users should reference CVE-2024-45595 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-04-15T15:51:15.829Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-45595. Notes: All CVE users should reference CVE-2024-45595 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
],
"value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-45595. Notes: All CVE users should reference CVE-2024-45595 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-9016",
"datePublished": "2025-03-20T10:09:34.885Z",
"dateRejected": "2025-04-15T15:51:15.829Z",
"dateReserved": "2024-09-19T18:58:29.466Z",
"dateUpdated": "2025-04-15T15:51:15.829Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55890 (GCVE-0-2024-55890)
Vulnerability from cvelistv5 – Published: 2024-12-13 18:00 – Updated: 2024-12-13 18:48
VLAI
Title
D-Tale allows Remote Code Execution through the Custom Filter Input
Summary
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/man-group/dtale/security/advis… | x_refsource_CONFIRM |
| https://github.com/man-group/dtale/commit/1e26ed3… | x_refsource_MISC |
| https://github.com/man-group/dtale#custom-filter | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:48:32.945370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:48:43.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:00:04.173Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4"
},
{
"name": "https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a"
},
{
"name": "https://github.com/man-group/dtale#custom-filter",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale#custom-filter"
}
],
"source": {
"advisory": "GHSA-832w-fhmw-w4f4",
"discovery": "UNKNOWN"
},
"title": "D-Tale allows Remote Code Execution through the Custom Filter Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55890",
"datePublished": "2024-12-13T18:00:04.173Z",
"dateReserved": "2024-12-12T15:03:39.205Z",
"dateUpdated": "2024-12-13T18:48:43.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45595 (GCVE-0-2024-45595)
Vulnerability from cvelistv5 – Published: 2024-09-10 16:03 – Updated: 2024-09-10 18:56
VLAI
Title
D-Tale allows Remote Code Execution through the Query input on Chart Builder
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/man-group/dtale/security/advis… | x_refsource_CONFIRM |
| https://github.com/man-group/dtale/commit/b6e3096… | x_refsource_MISC |
| https://github.com/man-group/dtale#custom-filter | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T18:56:46.364218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T18:56:57.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the \"Custom Filter\" input is turned off by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T16:03:56.717Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff"
},
{
"name": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8"
},
{
"name": "https://github.com/man-group/dtale#custom-filter",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale#custom-filter"
}
],
"source": {
"advisory": "GHSA-pw44-4h99-wqff",
"discovery": "UNKNOWN"
},
"title": "D-Tale allows Remote Code Execution through the Query input on Chart Builder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45595",
"datePublished": "2024-09-10T16:03:56.717Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-09-10T18:56:57.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3408 (GCVE-0-2024-3408)
Vulnerability from cvelistv5 – Published: 2024-06-06 18:54 – Updated: 2024-11-03 18:27
VLAI
Title
Authentication Bypass and RCE in man-group/dtale
Summary
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| man-group | man-group/dtale |
Affected:
unspecified , < 3.13.1
(custom)
|
|
| man-group | dtale |
Affected:
3.10.0
cpe:2.3:a:man-group:dtale:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:man-group:dtale:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "3.10.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3408",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T19:31:56.326871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:34:27.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:07.312Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "man-group/dtale",
"vendor": "man-group",
"versions": [
{
"lessThan": "3.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-03T18:27:22.142Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"
},
{
"url": "https://github.com/man-group/dtale/commit/32bd6fb4a63de779ff1e51823a456865ea3cbd13"
}
],
"source": {
"advisory": "57a06666-ff85-4577-af19-f3dfb7b02f91",
"discovery": "EXTERNAL"
},
"title": "Authentication Bypass and RCE in man-group/dtale"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-3408",
"datePublished": "2024-06-06T18:54:43.713Z",
"dateReserved": "2024-04-05T19:26:41.533Z",
"dateUpdated": "2024-11-03T18:27:22.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21642 (GCVE-0-2024-21642)
Vulnerability from cvelistv5 – Published: 2024-01-05 21:11 – Updated: 2025-06-17 20:29
VLAI
Title
D-Tale server-side request forgery through Web uploads
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/man-group/dtale/security/advis… | x_refsource_CONFIRM |
| https://github.com/man-group/dtale/commit/954f6be… | x_refsource_MISC |
| https://github.com/man-group/dtale?tab=readme-ov-… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"
},
{
"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"
},
{
"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-08T15:25:38.388086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:14.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T21:11:41.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"
},
{
"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"
},
{
"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"
}
],
"source": {
"advisory": "GHSA-7hfx-h3j3-rwq4",
"discovery": "UNKNOWN"
},
"title": "D-Tale server-side request forgery through Web uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21642",
"datePublished": "2024-01-05T21:11:41.528Z",
"dateReserved": "2023-12-29T03:00:44.958Z",
"dateUpdated": "2025-06-17T20:29:14.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46134 (GCVE-0-2023-46134)
Vulnerability from cvelistv5 – Published: 2023-10-25 20:51 – Updated: 2024-09-10 14:06
VLAI
Title
D-Tale vulnerable to Remote Code Execution through the Custom Filter Input
Summary
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/man-group/dtale/security/advis… | x_refsource_CONFIRM |
| https://github.com/man-group/dtale/commit/bf8c54a… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm"
},
{
"name": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:58:12.597618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:06:54.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is the combination of a Flask back-end and a React front-end to view \u0026 analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off \"Custom Filter\" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T20:51:40.321Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm"
},
{
"name": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668"
}
],
"source": {
"advisory": "GHSA-jq6c-r9xf-qxjm",
"discovery": "UNKNOWN"
},
"title": "D-Tale vulnerable to Remote Code Execution through the Custom Filter Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46134",
"datePublished": "2023-10-25T20:51:40.321Z",
"dateReserved": "2023-10-16T17:51:35.574Z",
"dateUpdated": "2024-09-10T14:06:54.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}