CVE-2026-38360

fohrloop · dash-uploader

A directory traversal vulnerability in the dash-uploader component allows remote attackers to execute arbitrary code via crafted HTTP requests.

Executive summary

A critical directory traversal vulnerability in fohrloop dash-uploader permits unauthenticated remote code execution, posing a severe risk to system integrity.

Vulnerability

This directory traversal flaw exists within the httprequesthandler.py component, specifically affecting the get_temp_root and _post methods. An unauthenticated remote attacker can leverage this to escape restricted directories and execute arbitrary code on the underlying host.

Business impact

The vulnerability carries a CVSS score of 9.8, indicating a critical severity level. Successful exploitation grants an attacker full control over the affected system, potentially leading to unauthorized data exfiltration, total system compromise, and significant operational downtime.

Remediation

Immediate Action: Identify and inventory all instances of dash-uploader within your environment and transition to a patched version once available.

Proactive Monitoring: Inspect web server access logs for unusual directory traversal patterns, such as sequences like "../" or null byte injections targeting the httprequesthandler endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) rule to block incoming HTTP requests containing directory traversal sequences directed at the dash-uploader API.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical CVSS score of 9.8 and the potential for unauthenticated remote code execution, this vulnerability represents an immediate threat to the environment. Administrators should prioritize identifying vulnerable installations and applying vendor-supplied patches immediately upon release to prevent exploitation.