CVE-2026-27194
Remote Code Execution in D-Tale /save-column-filter Endpoint
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| man | d-tale | to 3.19.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27194 is a remote code execution (RCE) vulnerability in the Python package D-Tale versions prior to 3.20.0. It arises from improper neutralization of user input in the /save-column-filter endpoint, allowing attackers to inject and execute arbitrary malicious code on servers hosting D-Tale publicly.
The root cause is that user-controllable input is either not neutralized or incorrectly neutralized before being included in web page output, which is classified under CWE-79 (Cross-site Scripting). Additionally, the vulnerability is linked to how column filters construct query strings directly from user input that are passed to pandas.DataFrame.query(), which can execute arbitrary Python code.
The issue has been fixed in version 3.20.0 by implementing comprehensive input validation at multiple layers to block dangerous patterns and prevent code injection.
How can this vulnerability impact me? :
If you are hosting a vulnerable version of D-Tale (prior to 3.20.0) publicly, attackers can exploit this vulnerability to execute arbitrary malicious code on your server remotely.
This can lead to unauthorized control over the server, data breaches, data manipulation, service disruption, or further attacks launched from the compromised server.
There are no available workarounds for affected versions below 3.20.0, so upgrading to version 3.20.0 or later is necessary to mitigate this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects D-Tale versions prior to 3.20.0 and is exploitable through the /save-column-filter endpoint, allowing remote code execution. Detection involves identifying if your system is running a vulnerable version of D-Tale and if the /save-column-filter endpoint is accessible publicly.
You can check the version of D-Tale installed on your system by running the following command in your Python environment:
- pip show dtale
To detect if the vulnerable endpoint is accessible on your network, you can use curl or similar tools to send a request to the /save-column-filter endpoint and observe the response. For example:
- curl -I http://your-dtale-server-address/save-column-filter
If the endpoint responds and the version is below 3.20.0, your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade D-Tale to version 3.20.0 or later, where this vulnerability has been fixed.
Since there are no available workarounds for affected versions below 3.20.0, upgrading is critical to prevent remote code execution attacks.
Additionally, if possible, restrict public access to the D-Tale service, especially the /save-column-filter endpoint, by implementing network-level controls such as firewalls or VPNs to limit exposure.