CVE-2026-35052
Published: 06 April 2026
Summary
CVE-2026-35052 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Man D-Tale. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Data Processing Libraries; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-35052 is a remote code execution vulnerability in D-Tale, a tool that combines a Flask backend and React frontend for viewing and analyzing Pandas data structures. The issue affects versions prior to 3.22.0 when D-Tale is hosted publicly while using a Redis or shelf storage layer, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and linked to CWE-79.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary malicious code on the server, resulting in high confidentiality, integrity, and availability impacts.
The vulnerability is addressed in D-Tale version 3.22.0. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19410
Vulnerability details
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code…
more
execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: pandas
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution in a publicly hosted web application (Flask/React) directly enables exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of the flaw through patching to D-Tale version 3.22.0.
Provides additional safeguards for publicly accessible systems like D-Tale, preventing unauthenticated remote exploitation when hosted publicly with Redis or shelf storage.
Monitors and controls communications at external boundaries, blocking unauthenticated network access required to exploit the RCE vulnerability.