CVE-2026-38361

HIGH NUCLEI

dash-uploader 0.1.0-0.7.0a2 Upload Handler - Remote Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-38361. PoCs published by a1ohadance. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-38361, which involves multiple unauthenticated DoS vulnerabilities in the dash-uploader library. The writeup includes root cause analysis, vulnerable code snippets, and verified attack vectors such as OOM crashes, file truncation, and disk exhaustion.

Description

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components

Exploits (1)

nomisec WRITEUP

by a1ohadance · poc

https://github.com/a1ohadance/CVE-2026-38361

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-38361, which involves multiple unauthenticated DoS vulnerabilities in the dash-uploader library. The writeup includes root cause analysis, vulnerable code snippets, and verified attack vectors such as OOM crashes, file truncation, and disk exhaustion.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: dash-uploader (versions 0.1.0 through 0.7.0a2)

No auth needed

Prerequisites: Network access to the target server · Ability to send crafted POST requests to the /API/resumable endpoint

MITRE ATT&CK