Cyber Posture

CVE-2026-35052

CriticalUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 31.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35052 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Man D-Tale. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the flaw through patching to D-Tale version 3.22.0.

SC-14 Public Access Protections good match
prevent

Provides additional safeguards for publicly accessible systems like D-Tale, preventing unauthenticated remote exploitation when hosted publicly with Redis or shelf storage.

SC-7 Boundary Protection good match
prevent

Monitors and controls communications at external boundaries, blocking unauthenticated network access required to exploit the RCE vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote code execution in a publicly hosted web application (Flask/React) directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code…

more

execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.

Deeper analysisAI

CVE-2026-35052 is a remote code execution vulnerability in D-Tale, a tool that combines a Flask backend and React frontend for viewing and analyzing Pandas data structures. The issue affects versions prior to 3.22.0 when D-Tale is hosted publicly while using a Redis or shelf storage layer, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and linked to CWE-79.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary malicious code on the server, resulting in high confidentiality, integrity, and availability impacts.

The vulnerability is addressed in D-Tale version 3.22.0. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w.

Details

CWE(s)
CWE-79NVD-CWE-noinfo

Affected Products

man
d-tale
≤ 3.22.0

CVEs Like This One

CVE-2026-27194Same product: Man D-Tale
CVE-2024-12633Shared CWE-79
CVE-2025-8456Shared CWE-79
CVE-2024-56056Shared CWE-79
CVE-2024-56299Shared CWE-79
CVE-2025-52436Shared CWE-79
CVE-2025-23459Shared CWE-79
CVE-2025-22547Shared CWE-79
CVE-2025-23570Shared CWE-79
CVE-2025-22353Shared CWE-79

References