What is the CVSS score of CVE-2026-38361?

CVE-2026-38361 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.4%.

Which versions of dash-uploader are affected by CVE-2026-38361?

The dash-uploader Python library (versions 0.1.0-0.7.0a2) contains a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary code or deny service through…. A patch is available.

Is there a public PoC exploit available for CVE-2026-38361?

Yes, a public proof-of-concept exploit is available for CVE-2026-38361. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-38361?

Within 24 hours: identify all applications and services using dash-uploader via dependency scanning (pip list, requirements.txt, poetry.lock) and assess network exposure of affected instances. Within 7 days: isolate or restrict network access to dash-uploader endpoints; implement strict file upload validation and size limits at the application layer as interim protection. Within 30 days: upgrade to dash-uploader version 0.7.0a3 or later once vendor releases a patched version, or replace with alternative file upload library if no patch timeline is provided by maintainers.

dash-uploader CVE-2026-38361

EUVD-2026-28645 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-05-08 mitre

GHSA-xp7f-v245-w3w8

Denial Of Service RCE

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 08, 2026 - 19:23 vuln.today

CVSS changed

May 08, 2026 - 19:22 NVD

7.5 (HIGH)

CVE Published

May 08, 2026 - 00:00 nvd

HIGH 7.5

CVE Published

May 08, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components

AnalysisAI

Remote code execution and denial-of-service in dash-uploader Python library allows unauthenticated network attackers to execute arbitrary code or crash applications via malicious file uploads. Versions 0.1.0 through 0.7.0a2 contain flaws in HTTP request handler (httprequesthandler.py), upload function (upload.py), and max_file_size parameter processing (configure_upload.py). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed dash-uploader endpoint

Delivery

Send crafted malicious upload request

Exploit

Trigger vulnerability in HTTP handler

Execution

Execute arbitrary Python code

Persist

Establish persistence or exfiltrate data

Impact

Impact application availability or integrity

Access

Identify exposed dash-uploader endpoint

Delivery

Send crafted malicious upload request

Exploit

Trigger vulnerability in HTTP handler

Execution

Execute arbitrary Python code

Persist

Establish persistence or exfiltrate data

Impact

Impact application availability or integrity

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of dash-uploader. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Critical discrepancy exists between CVSS impact scores (C:N/I:N/A:H indicating only availability impact) and the RCE tag classification (implying confidentiality and integrity impacts). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker identifies a public-facing Plotly Dash application using dash-uploader by fingerprinting upload endpoints or observing library-specific HTTP request patterns. Crafts malicious file upload request with specially formatted filename, oversized max_file_size parameter, or malformed HTTP headers targeting vulnerabilities in httprequesthandler.py. …
Remediation	No vendor-released patch version identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all applications and services using dash-uploader via dependency scanning (pip list, requirements.txt, poetry.lock) and assess network exposure of affected instances. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-38361 vulnerability details – vuln.today

Back

dash-uploader CVE-2026-38361

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code