D-Tale vulnerable to Remote Code Execution through the Custom Filter Input
CVE-2023-46134

6.1MEDIUM

Key Information:

Vendor: Man-group
Status: Dtale
Vendor: CVE Published:; 25 October 2023

Badges

📰 News Worthy

What is CVE-2023-46134?

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

Affected Version(s)

dtale < 3.7.0

News Articles

Vulert

CVE-2023-46134

CVE-2023-46134: dtale vulnerable to Remote Code Execution through the Custom Filter Input

CVE-2023-46134: dtale vulnerable to Remote Code Execution through the Custom Filter Input. Learn about the vulnerability in dtale versions prior to 3.7.0 and how to fix it. Find FAQs and contact [email protected] for support.

References

https://github.com/man-group/dtale/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/man-group/dtale/commit/bf8c54ab2490803...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by Vulert
Jun 3, 2025
Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Oct 16, 2023

Man-group