-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPythonMiggo AIRoot Cause AnalysisThe vulnerability stems from two key points: 1) In views.py's get_chart_data route handler, the 'query' parameter is extracted from untrusted HTTP requests and passed to run_query without validation. 2) run_query executes this input via pandas' query() method using the inherently unsafe 'python' engine. The GitHub patch adds a security gate (enable_custom_filters check) in get_chart_data, confirming these were the vulnerable entry points. The CWE-74 classification and commit diff both indicate improper neutralization of injection vectors in these functions.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dtale | pip | < 3.14.1 | 3.14.1 |
Ongoing coverage of React2Shell