Cyber Resilience

CVE-2026-27194

High

Published: 21 February 2026

Published
21 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 8.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0071 48.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27194 is a high-severity Injection (CWE-74) vulnerability in Man D-Tale. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Data Processing Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27194 is a remote code execution vulnerability affecting D-Tale, a visualizer for pandas data structures, in versions prior to 3.20.0. The flaw exists in the /save-column-filter endpoint, which allows attackers to execute arbitrary code on the server. Published on 2026-02-21, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).

Any unauthenticated attacker with network access to a publicly hosted D-Tale instance can exploit this vulnerability without user interaction or privileges. Successful exploitation enables remote code execution, granting high-impact access to confidentiality, integrity, and availability on the affected server by running malicious code.

The issue has been addressed in D-Tale version 3.20.0. The GitHub security advisory (GHSA-c87c-78rc-vmv2) and fixing commit (431c6148d3c799de20e1dec86c4432f48e3d0746) detail the patch, recommending immediate upgrades for exposed deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on…

more

the server. This issue has been fixed in version 3.20.0.

CWE(s)

AI Security AnalysisAI

AI Category
Data Processing Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: pandas

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-27194 is a remote code execution vulnerability in a public-facing web application (D-Tale), directly enabling exploitation of public-facing applications via unauthenticated network access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35052Same product: Man D-Tale
CVE-2026-26164Shared CWE-74
CVE-2026-33833Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-7770Shared CWE-74
CVE-2022-31631Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-2019Shared CWE-74
CVE-2026-32695Shared CWE-74

Affected Assets

man
d-tale
≤ 3.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of known software flaws like this RCE vulnerability by applying the vendor patch in D-Tale version 3.20.0.

prevent

Enforces validation of all information inputs to endpoints such as /save-column-filter, preventing improper neutralization that enables RCE.

prevent

Provides protections for publicly accessible interfaces like the vulnerable D-Tale endpoint, rejecting unauthorized access or enforcing controls on public exposure.

References