cbcvebase.
CVE-2026-38360
published 2026-05-08

CVE-2026-38360: Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.98%
92.4th percentile
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.

Detection & IOCsextracted from sources · hover to see the quote

pathdash_uploader/httprequesthandler.py
url/API/dash-uploader
url/API/resumable
path../assets
othershodan:html:"_dash-undo-redo"
otherfofa:body="_dash-undo-redo"
  • Look for POST requests to /API/dash-uploader or /API/resumable with a multipart form-data body containing an upload_id field set to a path-traversal string (e.g., '../assets'). This is the exploitation vector for the unauthenticated arbitrary file write.
  • The exploit requires no authentication (PR:N, UI:N). Any POST to /API/dash-uploader or /API/resumable with a traversal sequence in the upload_id parameter should be treated as a high-confidence attack attempt.
  • Identify exposed dash-uploader instances via Shodan or FOFA using the fingerprint string '_dash-undo-redo' in the HTML body, then probe /API/dash-uploader and /API/resumable endpoints.
  • Successful exploitation can be confirmed by a subsequent GET to /assets/<uploaded_filename> returning HTTP 200 with the uploaded content, indicating the file was written outside the intended upload directory.
  • The vulnerable code paths are BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post() in dash_uploader/httprequesthandler.py. Monitor or audit these functions for unsanitized path concatenation.
  • ·The vulnerability affects dash-uploader versions 0.1.0 through 0.7.0a2 inclusive. Versions beyond 0.7.0a2 are not confirmed vulnerable.
  • ·The Nuclei template uses a flow condition — exploitation succeeds via EITHER the /API/dash-uploader endpoint OR the /API/resumable endpoint. Both must be checked during detection; blocking only one endpoint is insufficient.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.