CVE-2024-45595 MEDIUM

CVE-2024-45595: D-Tale allows Remote Code Execution through the Query input on Chart Builder

Vendor Man-Group

Product dtale

Weakness CWE-79 · XSS

Published September 10, 2024

Last update September 10, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.

Key dates

02Disclosure timeline

September 10, 2024 CVE published

September 10, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-45595 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-1912 Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute CVE-2024-1257 Jspxcms find_text.do cross site scripting CVE-2025-14048 SimplyConvert <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'simplyconvert_hash' Option CVE-2024-35654 WordPress Responsive theme <= 5.0.3 - Cross Site Scripting (XSS) vulnerability CVE-2026-44549 Open WebUI: Stored XSS in excel file preview