CVE-2026-35052
Received Received - Intake
Remote Code Execution in D-Tale via Redis/Shelf Storage

Publication date: 2026-04-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
man d-tale to 3.22.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35052 is a moderate severity vulnerability in the Python package D-Tale versions prior to 3.22.0. It occurs when D-Tale is hosted publicly using Redis or shelf as the storage backend. In this setup, attackers can exploit improper neutralization of user-controllable input during web page generation, which leads to remote code execution (RCE) on the server. This means attackers can run arbitrary malicious code remotely on the affected server.

Impact Analysis

This vulnerability allows attackers to execute arbitrary code remotely on the server hosting D-Tale. Such remote code execution can lead to unauthorized access, data theft, data manipulation, service disruption, or complete compromise of the affected system.

Detection Guidance

This vulnerability affects D-Tale versions prior to 3.22.0 when hosted publicly using Redis or shelf as the storage backend. Detection involves identifying if your system is running a vulnerable D-Tale version and if it is configured with Redis or shelf storage.

You can check the installed D-Tale version by running the following command in your environment:

  • pip show dtale

To verify if Redis or shelf storage is used, review your D-Tale configuration files or environment variables for storage backend settings.

Additionally, monitoring network traffic for unusual requests to the D-Tale web interface or scanning for publicly exposed D-Tale instances may help detect potential exploitation attempts.

Mitigation Strategies

The primary and recommended mitigation is to upgrade D-Tale to version 3.22.0 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, restrict public access to the D-Tale instance, especially if it uses Redis or shelf storage backends, to prevent remote exploitation.

No other workarounds are available for versions prior to 3.22.0.

Compliance Impact

The vulnerability in D-Tale prior to version 3.22.0 allows remote code execution when hosted publicly with Redis or shelf storage backends. This could lead to unauthorized access or manipulation of data on the server.

Such unauthorized access or control over the server could potentially result in breaches of data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability may cause non-compliance with these regulations due to the risk of exposure or alteration of sensitive personal or health data.

Upgrading to D-Tale version 3.22.0 is necessary to mitigate this risk and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart