CVE-2023-46134

D-Tale vulnerable to Remote Code Execution through the Custom Filter Input

Description

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

Category

6.1
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 2.33% Top 20%
Vendor Advisory github.com
Affected: man-group dtale
Published at:
Updated at:

References

Link Tags
https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm vendor advisory
https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668 patch

Frequently Asked Questions

What is the severity of CVE-2023-46134?
CVE-2023-46134 has been scored as a medium severity vulnerability.
How to fix CVE-2023-46134?
To fix CVE-2023-46134, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-46134 being actively exploited in the wild?
It is possible that CVE-2023-46134 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-46134?
CVE-2023-46134 affects man-group dtale.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.