CVE-2026-38360
Published: 08 May 2026
Summary
CVE-2026-38360 is a critical-severity Path Traversal (CWE-22) vulnerability in Pypi (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-38360 is a directory traversal vulnerability affecting fohrloop dash-uploader versions 0.1.0 through 0.7.0a2. The flaw resides in the dash_uploader/httprequesthandler.py module, specifically within the BaseHttpRequestHandler.get_temp_root and BaseHttpRequestHandler._post methods, and is tracked under CWE-22.
A remote attacker can exploit the issue over the network without authentication or user interaction to read or write arbitrary files on the server, resulting in execution of arbitrary code and full compromise of confidentiality, integrity, and availability.
Public references consist of the project repository, the affected source files on both dev and stable branches, and a dedicated issue tracking the flaw, but contain no explicit statements on patches or mitigation steps.
The associated EPSS score has reached a peak of 0.1755 with a current value of 0.1456.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28802
Vulnerability details
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing Dash web uploader component directly enables remote code execution via malicious file write/execution in httprequesthandler POST handling.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file/path inputs in BaseHttpRequestHandler._post and get_temp_root to block traversal sequences before arbitrary file read/write occurs.
Enforces that only explicitly authorized file-system objects may be accessed by the unauthenticated HTTP handler, preventing the traversal from reaching arbitrary paths.
Limits the web process to the minimal set of directories and privileges, so even a successful traversal yields far less ability to read, write, or execute arbitrary code.