CVE-2026-38360

CRITICAL NUCLEI

dash-uploader 0.1.0-0.7.0a2 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-38360. PoCs published by a1ohadance. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-38360, a path traversal vulnerability in the dash-uploader library. It includes root cause analysis, vulnerable code snippets, attack vectors, and impact assessment, but does not contain functional exploit code.

Description

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.

Exploits (1)

nomisec WRITEUP

by a1ohadance · poc

https://github.com/a1ohadance/CVE-2026-38360

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-38360, a path traversal vulnerability in the dash-uploader library. It includes root cause analysis, vulnerable code snippets, attack vectors, and impact assessment, but does not contain functional exploit code.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: dash-uploader (versions 0.1.0 through 0.7.0a2)

No auth needed

Prerequisites: Network access to the vulnerable endpoint · Ability to send crafted HTTP POST requests

MITRE ATT&CK