Cyber Resilience

CVE-2026-35052

Medium

Published: 06 April 2026

Published
06 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 45.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35052 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Man D-Tale. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Data Processing Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-35052 is a remote code execution vulnerability in D-Tale, a tool that combines a Flask backend and React frontend for viewing and analyzing Pandas data structures. The issue affects versions prior to 3.22.0 when D-Tale is hosted publicly while using a Redis or shelf storage layer, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and linked to CWE-79.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary malicious code on the server, resulting in high confidentiality, integrity, and availability impacts.

The vulnerability is addressed in D-Tale version 3.22.0. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code…

more

execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.

CWE(s)

AI Security AnalysisAI

AI Category
Data Processing Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: pandas

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution in a publicly hosted web application (Flask/React) directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27194Same product: Man D-Tale
CVE-2024-56060Shared CWE-79
CVE-2022-50908Shared CWE-79
CVE-2026-44669Shared CWE-79
CVE-2025-23882Shared CWE-79
CVE-2025-68501Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2025-69316Shared CWE-79
CVE-2025-50006Shared CWE-79
CVE-2025-14320Shared CWE-79

Affected Assets

man
d-tale
≤ 3.22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the flaw through patching to D-Tale version 3.22.0.

prevent

Provides additional safeguards for publicly accessible systems like D-Tale, preventing unauthenticated remote exploitation when hosted publicly with Redis or shelf storage.

prevent

Monitors and controls communications at external boundaries, blocking unauthenticated network access required to exploit the RCE vulnerability.

References