Description
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: 6.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A directory traversal vulnerability in fohrloop dash‑uploader exposes the file upload handler to arbitrary path manipulation. By forging a request that includes traversal sequences such as "/../" to bypass the intended temporary upload directory, an attacker can cause the server to write or execute files in directories under its control. This flaw is triggered through the get_temp_root and _post methods of httprequesthandler.py and enables execution of malicious code on the host, effectively granting full control over the impact scope. This vulnerability is a classic instance of the CWE-22 Directory Traversal weakness.

Affected Systems

fohrloop dash‑uploader releases from 0.1.0 through 0.7.0a2 are affected. Any deployment that exposes the upload endpoint to external traffic can be exploited; the CVE description does not provide details about authentication or network segmentation requirements.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8 and an EPSS score of 0.06538, indicating an extremely low likelihood of exploitation in realistic attacker scenarios. The flaw is not listed in the CISA KEV catalog yet, but its severity and exploitable remote nature make it a critical risk. Attackers can trigger the flaw by sending a specially crafted HTTP request to the upload endpoint, where the traversal is interpreted by the server and arbitrary code is executed.

Generated by OpenCVE AI on June 11, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fohrloop dash‑uploader to a version newer than 0.7.0a2 that implements proper path validation in httprequesthandler.py.
  • Restrict access to the file upload endpoint by requiring authentication or limiting traffic to trusted IP addresses.
  • If upgrade is not immediately feasible, disable the upload functionality or remove the vulnerable endpoints from the exposed service.

Generated by OpenCVE AI on June 11, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3rf6-x59v-5jfv dash-uploader has a directory traversal vulnerability
History

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal Allows Remote Code Execution in fohrloop dash-uploader

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.
References

Fri, 22 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal Allows Remote Code Execution in fohrloop dash-uploader

Thu, 14 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Directory Traversal Vulnerability Enabling Remote Code Execution in Fohrloop Dash-Uploader

Wed, 13 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Directory Traversal Vulnerability Enabling Remote Code Execution in Fohrloop Dash-Uploader

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Fohrloop
Fohrloop dash-uploader
Vendors & Products Fohrloop
Fohrloop dash-uploader

Sat, 09 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Directory Traversal in fohrloop dash-uploader Allows Remote Code Execution

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal in fohrloop dash-uploader Allows Remote Code Execution

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components
References

Subscriptions

Fohrloop Dash-uploader
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T15:34:05.726Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38360

cve-icon Vulnrichment

Updated: 2026-05-08T18:04:06.626Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T17:16:30.380

Modified: 2026-06-17T10:41:41.090

Link: CVE-2026-38360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T21:45:08Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')