Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components
Articles & Coverage 1
AnalysisAI
Remote code execution in dash-uploader (Python package for Plotly Dash) versions 0.1.0 through 0.7.0a2 allows unauthenticated remote attackers to execute arbitrary code via directory traversal flaws in the HTTP request handler. The vulnerability affects temp_root path handling and POST request processing, enabling attackers to write files outside intended upload directories. Public exploit code exists (GitHub repository CVE-2026-38360), and the CVSS 9.8 critical score reflects the network-accessible, no-authentication attack vector. EPSS data not available, but the combination of RCE impact, public POC, and trivial exploitation complexity (AC:L/PR:N) makes this a high-priority remediation target for any deployment using vulnerable dash-uploader versions.
Technical ContextAI
dash-uploader is a Python library providing file upload functionality for Plotly Dash web applications. The vulnerability resides in dash_uploader/httprequesthandler.py, specifically in the BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post() methods. CWE-22 (Path Traversal) indicates insufficient input validation on file paths during upload operations. Attackers can manipulate file path parameters with sequences like '../' to escape the intended temporary upload directory, writing malicious files to arbitrary filesystem locations accessible to the web application process. When combined with web-accessible directories or executable contexts, path traversal enables remote code execution by uploading web shells, cron jobs, or overwriting application files. The CPE string 'cpe:2.3:a:n/a:n/a' indicates incomplete product identification in NVD data, but PyPI and GitHub references confirm the affected package is the fohrloop/dash-uploader Python library.
RemediationAI
Primary mitigation: Immediately upgrade dash-uploader to a patched version newer than 0.7.0a2 if available (check PyPI repository for releases post-dating this CVE disclosure). As of this analysis, no confirmed patched version is documented in available references - monitor github.com/fohrloop/dash-uploader/issues/153 for vendor response and release timeline. If no patch exists, implement compensating controls: (1) Remove or disable dash-uploader upload functionality from production applications until patched version available; (2) If removal impossible, restrict network access to upload endpoints using web application firewall rules permitting only trusted IP ranges (note this significantly reduces application functionality); (3) Run the Dash application with minimal filesystem permissions using a dedicated service account that cannot write to web-accessible directories or system paths (limits RCE impact but does not prevent exploitation); (4) Deploy filesystem monitoring to detect unexpected file writes outside designated upload directories (detection, not prevention). Trade-off: All workarounds except upgrading reduce functionality or provide incomplete protection. Given critical severity and RCE impact, the recommended action is application-level removal of upload features until vendor patch confirmed available. Consult vendor advisory when published.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28802
GHSA-3rf6-x59v-5jfv