CVE-2026-38360
dash-uploader has a directory traversal vulnerability
Description
### Impact An unauthenticated path traversal vulnerability exists in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at `dash_uploader/httprequesthandler.py` reads three form parameters (`upload_id`, `resumableFilename`, `resumableIdentifier`) from `request.form.get()` and passes them directly to `os.path.join()` and `os.makedirs()` without any sanitization. A single unauthenticated `POST /API/dash-uploader` request with `upload_id` set to a relative path (e.g. `../../etc/cron.d` or `../venv/lib/python3.13/site-packages`) escapes the application's `uploads/` directory and writes the supplied file content to the chosen target path under the privilege of the gunicorn / WSGI process. When the chosen target is a Python `site-packages` directory and the dropped file is a `.pth` file containing an `import`-prefixed line, Python's `site` module executes that line on the next interpreter startup, yielding remote code execution. Other escalation paths reachable from the same primitive include overwriting the running WSGI module, dropping `~/.ssh/authorized_keys`, or writing JavaScript into a Dash-served `assets/` directory for stored XSS. ### Affected versions All 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**. ### Mitigation Replace `dash-uploader` with an alternative file-upload component (for example, `dash-resumable-upload`, server-rendered `<input type=\"file\">` plus a hardened Flask endpoint, or a maintained Dash community alternative). There is no upstream fix path. While a replacement is being deployed, mitigations include: * Block `POST /API/dash-uploader` at an upstream proxy, OR * Run the application as an unprivileged user with no write access to its own `site-packages`, OR * Use a read-only filesystem for the application's code directories.
How to fix CVE-2026-38360
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-38360 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-38360.