A directory traversal flaw in fohrloop dash-uploader allows a remote attacker to traverse beyond the intended upload directory and execute arbitrary code by manipulating the path supplied to the file upload handler. The vulnerability stems from improper path validation in the get_temp_root and _post methods of the httprequesthandler module, enabling an attacker to specify paths that access writable directories controlled by the application and inject executable payloads. The impact is full compromise of the host, granting the attacker ability to read, modify, or delete any file, install malware, and take full control of the system.

fohrloop dash-uploader versions 0.1.0 through 0.7.0a2 are affected. Any deployment of these releases that expose the upload endpoint over the network is vulnerable, regardless of authentication state or configuration specifics.

The vulnerability allows remote code execution, for which an EPSS score of 14% is available and it is not listed in CISA’s KEV catalog. The likely attack vector is inferred to be an HTTP request to the upload endpoint that exploits the directory traversal flaw, a scenario that is feasible for remote attackers with network access to the service. Because the flaw directly triggers code execution, the risk is high even without publicly available exploits.