Skip to content

Remote Code Execution through the /save-column-filter endpoint

Moderate
aschonfeld published GHSA-c87c-78rc-vmv2 Feb 18, 2026

Package

pip dtale (pip)

Affected versions

< 3.20.0

Patched versions

3.20.0

Description

Impact

Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

Patches

Users should upgrade to version 3.20.0.

Workarounds

There are no workarounds for versions < 3.20.0

Severity

Moderate

CVE ID

CVE-2026-27194

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.