CVE-2026-38360
published 2026-05-08CVE-2026-38360: Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.98%
92.4th percentile
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to /API/dash-uploader or /API/resumable with a multipart form-data body containing an upload_id field set to a path-traversal string (e.g., '../assets'). This is the exploitation vector for the unauthenticated arbitrary file write. ↗
- →The exploit requires no authentication (PR:N, UI:N). Any POST to /API/dash-uploader or /API/resumable with a traversal sequence in the upload_id parameter should be treated as a high-confidence attack attempt. ↗
- →Identify exposed dash-uploader instances via Shodan or FOFA using the fingerprint string '_dash-undo-redo' in the HTML body, then probe /API/dash-uploader and /API/resumable endpoints. ↗
- →Successful exploitation can be confirmed by a subsequent GET to /assets/<uploaded_filename> returning HTTP 200 with the uploaded content, indicating the file was written outside the intended upload directory. ↗
- →The vulnerable code paths are BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post() in dash_uploader/httprequesthandler.py. Monitor or audit these functions for unsanitized path concatenation. ↗
- ·The vulnerability affects dash-uploader versions 0.1.0 through 0.7.0a2 inclusive. Versions beyond 0.7.0a2 are not confirmed vulnerable. ↗
- ·The Nuclei template uses a flow condition — exploitation succeeds via EITHER the /API/dash-uploader endpoint OR the /API/resumable endpoint. Both must be checked during detection; blocking only one endpoint is insufficient. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3rf6-x59v-5jfv: Directory Traversal vulnerability in fohrloop dash-uploader v
ghsa_unreviewed·2026-05-08
CVE-2026-38360 [CRITICAL] CWE-22 GHSA-3rf6-x59v-5jfv: Directory Traversal vulnerability in fohrloop dash-uploader v
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components
VulDB
fohrloop dash-uploader up to 0.1.0/0.7.0a2 httprequesthandler.py aseHttpRequestHandler.get_temp_root path traversal
vuldb·2026-05-08·CVSS 9.8
CVE-2026-38360 [CRITICAL] fohrloop dash-uploader up to 0.1.0/0.7.0a2 httprequesthandler.py aseHttpRequestHandler.get_temp_root path traversal
A vulnerability classified as critical was found in fohrloop dash-uploader up to 0.1.0/0.7.0a2. Affected is the function aseHttpRequestHandler.get_temp_root of the file dash_uploader/httprequesthandler.py. Such manipulation leads to path traversal.
This vulnerability is documented as CVE-2026-38360. The attack can be executed remotely. There is not any exploit available.
GHSA
dash-uploader has a directory traversal vulnerability
ghsa·2026-05-08
CVE-2026-38360 [CRITICAL] CWE-22 dash-uploader has a directory traversal vulnerability
dash-uploader has a directory traversal vulnerability
### Impact
An unauthenticated path traversal vulnerability exists in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at `dash_uploader/httprequesthandler.py` reads three form parameters (`upload_id`, `resumableFilename`, `resumableIdentifier`) from `request.form.get()` and passes them directly to `os.path.join()` and `os.makedirs()` without any sanitization.
A single unauthenticated `POST /API/dash-uploader` request with `upload_id` set to a relative path (e.g. `../../etc/cron.d` or `../venv/lib/python3.13/site-packages`) escapes the application's `uploads/` directory and writes the supplied file content to the chosen target path under the privilege of the gu
No detection rules found.
Nuclei
dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal
nuclei·CVSS 9.8
CVE-2026-38360 [CRITICAL] dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal
dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal
fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a directory traversal vulnerability caused by improper handling in dash_uploader/httprequesthandler.py components, letting remote attackers execute arbitrary code, exploit requires no special privileges.
Template:
id: CVE-2026-38360
info:
name: dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal
author: a1ohadance
severity: critical
description: |
fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a directory traversal vulnerability caused by improper handling in dash_uploader/httprequesthandler.py components, letting remote attackers execute arbitrary code, exploit requires no special privileges.
impact
No writeups or analysis indexed.
https://github.com/a1ohadance/CVE-2026-38360https://github.com/advisories/GHSA-3rf6-x59v-5jfvhttps://github.com/fohrloop/dash-uploaderhttps://github.com/fohrloop/dash-uploader/blob/dev/dash_uploader/httprequesthandler.pyhttps://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.pyhttps://github.com/fohrloop/dash-uploader/issues/153https://github.com/github/advisory-database/pull/7635https://pypi.org/project/dash-uploader/
2026-05-08
Published