{"id":"PYSEC-2026-320","summary":"dash-uploader has a directory traversal vulnerability","details":"### Impact\n\nAn unauthenticated path traversal vulnerability exists in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at `dash_uploader/httprequesthandler.py` reads three form parameters (`upload_id`, `resumableFilename`, `resumableIdentifier`) from `request.form.get()` and passes them directly to `os.path.join()` and `os.makedirs()` without any sanitization.\n\nA single unauthenticated `POST /API/dash-uploader` request with `upload_id` set to a relative path (e.g. `../../etc/cron.d` or `../venv/lib/python3.13/site-packages`) escapes the application's `uploads/` directory and writes the supplied file content to the chosen target path under the privilege of the gunicorn / WSGI process.\n\n When the chosen target is a Python `site-packages` directory and the dropped file is a `.pth` file containing an `import`-prefixed line, Python's `site` module executes that line on the next interpreter startup, yielding remote code execution. Other escalation paths reachable from the same primitive include overwriting the running WSGI module, dropping `~/.ssh/authorized_keys`, or writing JavaScript into a Dash-served `assets/` directory for stored XSS.\n\n### Affected versions\n\nAll 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**.\n\n### Mitigation\n\nReplace `dash-uploader` with an alternative file-upload component (for example, `dash-resumable-upload`, server-rendered `\u003cinput type=\\\"file\\\"\u003e` plus a hardened Flask endpoint, or a maintained Dash community alternative). There is no upstream fix path.\n\nWhile a replacement is being deployed, mitigations include:\n\n* Block `POST /API/dash-uploader` at an upstream proxy, OR\n* Run the application as an unprivileged user with no write access to its own `site-packages`, OR\n* Use a read-only filesystem for the application's code directories.","aliases":["CVE-2026-38360","GHSA-3rf6-x59v-5jfv"],"modified":"2026-06-29T12:15:17.069559175Z","published":"2026-06-29T11:50:48.606509Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38360"},{"type":"WEB","url":"https://github.com/fohrloop/dash-uploader/issues/153"},{"type":"WEB","url":"https://github.com/a1ohadance/CVE-2026-38360"},{"type":"WEB","url":"https://github.com/fohrloop/dash-uploader"},{"type":"WEB","url":"https://github.com/fohrloop/dash-uploader/blob/dev/dash_uploader/httprequesthandler.py"},{"type":"WEB","url":"https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py"},{"type":"PACKAGE","url":"https://github.com/lmigtech/dash_uploader"},{"type":"WEB","url":"https://pypi.org/project/dash-uploader"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-3rf6-x59v-5jfv"}],"affected":[{"package":{"name":"dash-uploader","ecosystem":"PyPI","purl":"pkg:pypi/dash-uploader"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1.0"},{"last_affected":"0.7.0a2"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.2.0","0.2.3","0.2.4","0.3.0","0.3.1","0.4.0","0.4.1","0.4.2","0.5.0","0.6.0","0.6.1","0.7.0a1","0.7.0a2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/dash-uploader/PYSEC-2026-320.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}