Description
An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An flaw in fohrloop dash-uploader allows a remote attacker to execute arbitrary code by exploiting the Upload function and the max_file_size parameter within the dash_uploader/httprequesthandler.py component. The vulnerability enables the attacker to supply malicious content that is processed and executed by the server, compromising both confidentiality and integrity of the hosting system. This can lead to complete takeover of the application or the underlying host.

Affected Systems

fohrloop dash-uploader versions 0.1.0 through 0.7.0a2. No specific vendor name is listed, but the product is the Python-based dash-uploader package distributed via PyPI.

Risk and Exploitability

The CVE carries a CVSS score of 7.5, lacks an EPSS score, and is not listed in the CISA KEV catalog, indicating a high severity flaw. Based on the description, the likely attack vector is a crafted HTTP POST request to the upload endpoint that includes a malicious payload and an oversized max_file_size parameter. Because the flaw resides in the core upload handling logic, successful exploitation does not require additional privileges, making the vulnerability broadly exploitable.

Generated by OpenCVE AI on May 8, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of dash-uploader that contains the fix for arbitrary code execution, or replace the package entirely with a maintained alternative.
  • If upgrading is not possible, remove or disable the upload endpoint and any related routes that expose the vulnerable handler.
  • Implement strict file type and size validation both on the client and server side, rejecting any requests that do not conform to defined whitelists and limits to prevent future exploitation.

Generated by OpenCVE AI on May 8, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via File Upload in fohrloop Dash-Uploader
Weaknesses CWE-78
CWE-94

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-670
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via File Upload in fohrloop Dash-Uploader
Weaknesses CWE-78
CWE-94

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T18:27:31.102Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38361

cve-icon Vulnrichment

Updated: 2026-05-08T18:26:05.370Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-08T15:16:37.120

Modified: 2026-05-08T19:16:31.103

Link: CVE-2026-38361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses