Skip to main content

dash-uploader EUVDEUVD-2026-28802

| CVE-2026-38360 CRITICAL
Path Traversal (CWE-22)
2026-05-08 mitre GHSA-3rf6-x59v-5jfv
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 19:24 vuln.today
CVSS changed
May 08, 2026 - 19:22 NVD
9.8 (CRITICAL)
CVE Published
May 08, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components

AnalysisAI

Remote code execution in dash-uploader (Python package for Plotly Dash) versions 0.1.0 through 0.7.0a2 allows unauthenticated remote attackers to execute arbitrary code via directory traversal flaws in the HTTP request handler. The vulnerability affects temp_root path handling and POST request processing, enabling attackers to write files outside intended upload directories. Public exploit code exists (GitHub repository CVE-2026-38360), and the CVSS 9.8 critical score reflects the network-accessible, no-authentication attack vector. EPSS data not available, but the combination of RCE impact, public POC, and trivial exploitation complexity (AC:L/PR:N) makes this a high-priority remediation target for any deployment using vulnerable dash-uploader versions.

Technical ContextAI

dash-uploader is a Python library providing file upload functionality for Plotly Dash web applications. The vulnerability resides in dash_uploader/httprequesthandler.py, specifically in the BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post() methods. CWE-22 (Path Traversal) indicates insufficient input validation on file paths during upload operations. Attackers can manipulate file path parameters with sequences like '../' to escape the intended temporary upload directory, writing malicious files to arbitrary filesystem locations accessible to the web application process. When combined with web-accessible directories or executable contexts, path traversal enables remote code execution by uploading web shells, cron jobs, or overwriting application files. The CPE string 'cpe:2.3:a:n/a:n/a' indicates incomplete product identification in NVD data, but PyPI and GitHub references confirm the affected package is the fohrloop/dash-uploader Python library.

RemediationAI

Primary mitigation: Immediately upgrade dash-uploader to a patched version newer than 0.7.0a2 if available (check PyPI repository for releases post-dating this CVE disclosure). As of this analysis, no confirmed patched version is documented in available references - monitor github.com/fohrloop/dash-uploader/issues/153 for vendor response and release timeline. If no patch exists, implement compensating controls: (1) Remove or disable dash-uploader upload functionality from production applications until patched version available; (2) If removal impossible, restrict network access to upload endpoints using web application firewall rules permitting only trusted IP ranges (note this significantly reduces application functionality); (3) Run the Dash application with minimal filesystem permissions using a dedicated service account that cannot write to web-accessible directories or system paths (limits RCE impact but does not prevent exploitation); (4) Deploy filesystem monitoring to detect unexpected file writes outside designated upload directories (detection, not prevention). Trade-off: All workarounds except upgrading reduce functionality or provide incomplete protection. Given critical severity and RCE impact, the recommended action is application-level removal of upload features until vendor patch confirmed available. Consult vendor advisory when published.

Share

EUVD-2026-28802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy