Description
D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
Published: 2026-02-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

D‑Tale, a visualizer for pandas data structures, is vulnerable to remote code execution through its /save-column-filter endpoint. An attacker who can reach this endpoint can send a crafted request that causes the server to execute arbitrary code. The weakness is a form of expression injection, as identified by CWE‑74, allowing execution of unexpected code paths and compromising confidentiality, integrity, and availability of the host system.

Affected Systems

The vendor "man-group" provides the D‑Tale application. All releases before version 3.20.0 contain the vulnerability. The fix was introduced in 3.20.0; any deployment of earlier builds is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity flaw. The EPSS score is below 1 %, suggesting that an exploit is unlikely at this time, but the vulnerability is not part of the CISA KEV catalog and is still publicly disclosed. Attackers can potentially exploit the endpoint via the internet if the application is publicly reachable, making the remote attack vector plausible. No special network conditions beyond public access are required.

Generated by OpenCVE AI on April 17, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade D‑Tale to version 3.20.0 or later to remove the vulnerability
  • Limit access to the /save-column-filter endpoint by requiring authentication or by exposing the service only on an internal network
  • If the endpoint is unnecessary, disable or remove it entirely
  • Validate and sanitize all input to the endpoint to prevent malformed expressions from executing

Generated by OpenCVE AI on April 17, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c87c-78rc-vmv2 D-Tale affected by Remote Code Execution through the /save-column-filter endpoint
History

Wed, 25 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Man
Man d-tale
CPEs cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*
Vendors & Products Man
Man d-tale
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Man-group
Man-group dtale
Vendors & Products Man-group
Man-group dtale

Sat, 21 Feb 2026 04:30:00 +0000

Type Values Removed Values Added
Description D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
Title D-Tale affected by Remote Code Execution through the /save-column-filter endpoint
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Man D-tale
Man-group Dtale
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:58:24.887Z

Reserved: 2026-02-18T19:47:02.154Z

Link: CVE-2026-27194

cve-icon Vulnrichment

Updated: 2026-02-24T18:58:17.152Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T05:17:29.123

Modified: 2026-02-23T20:47:29.423

Link: CVE-2026-27194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses