Cyber Resilience

CVE-2026-38360

CriticalUpdated

Published: 08 May 2026

Published
08 May 2026
Modified
10 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0598 92.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-38360 is a critical-severity Path Traversal (CWE-22) vulnerability in Pypi (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-38360 is a directory traversal vulnerability affecting fohrloop dash-uploader versions 0.1.0 through 0.7.0a2. The flaw resides in the dash_uploader/httprequesthandler.py module, specifically within the BaseHttpRequestHandler.get_temp_root and BaseHttpRequestHandler._post methods, and is tracked under CWE-22.

A remote attacker can exploit the issue over the network without authentication or user interaction to read or write arbitrary files on the server, resulting in execution of arbitrary code and full compromise of confidentiality, integrity, and availability.

Public references consist of the project repository, the affected source files on both dev and stable branches, and a dedicated issue tracking the flaw, but contain no explicit statements on patches or mitigation steps.

The associated EPSS score has reached a peak of 0.1755 with a current value of 0.1456.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal in public-facing Dash web uploader component directly enables remote code execution via malicious file write/execution in httprequesthandler POST handling.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

Pypi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file/path inputs in BaseHttpRequestHandler._post and get_temp_root to block traversal sequences before arbitrary file read/write occurs.

prevent

Enforces that only explicitly authorized file-system objects may be accessed by the unauthenticated HTTP handler, preventing the traversal from reaching arbitrary paths.

prevent

Limits the web process to the minimal set of directories and privileges, so even a successful traversal yields far less ability to read, write, or execute arbitrary code.

References