CVE-2026-35052
Remote Code Execution in D-Tale via Redis/Shelf Storage
Publication date: 2026-04-06
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| man | d-tale | to 3.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35052 is a moderate severity vulnerability in the Python package D-Tale versions prior to 3.22.0. It occurs when D-Tale is hosted publicly using Redis or shelf as the storage backend. In this setup, attackers can exploit improper neutralization of user-controllable input during web page generation, which leads to remote code execution (RCE) on the server. This means attackers can run arbitrary malicious code remotely on the affected server.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary code remotely on the server hosting D-Tale. Such remote code execution can lead to unauthorized access, data theft, data manipulation, service disruption, or complete compromise of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects D-Tale versions prior to 3.22.0 when hosted publicly using Redis or shelf as the storage backend. Detection involves identifying if your system is running a vulnerable D-Tale version and if it is configured with Redis or shelf storage.
You can check the installed D-Tale version by running the following command in your environment:
- pip show dtale
To verify if Redis or shelf storage is used, review your D-Tale configuration files or environment variables for storage backend settings.
Additionally, monitoring network traffic for unusual requests to the D-Tale web interface or scanning for publicly exposed D-Tale instances may help detect potential exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade D-Tale to version 3.22.0 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, restrict public access to the D-Tale instance, especially if it uses Redis or shelf storage backends, to prevent remote exploitation.
No other workarounds are available for versions prior to 3.22.0.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in D-Tale prior to version 3.22.0 allows remote code execution when hosted publicly with Redis or shelf storage backends. This could lead to unauthorized access or manipulation of data on the server.
Such unauthorized access or control over the server could potentially result in breaches of data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability may cause non-compliance with these regulations due to the risk of exposure or alteration of sensitive personal or health data.
Upgrading to D-Tale version 3.22.0 is necessary to mitigate this risk and maintain compliance.