Vulnerabilities ›

CVE-2026-38361

High ⚡ Exploit Available

CWE-400 — Weakness Type

                    Published: May 8, 2026                      ·  Modified: May 15, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components

🤖 AI Executive Summary

CVE-2026-38361 is a critical remote code execution vulnerability in dash-uploader (v0.1.0-0.7.0a2) affecting file upload handling through improper validation of the max_file_size parameter. An unauthenticated remote attacker can execute arbitrary code by exploiting flaws in httprequesthandler.py and upload.py components. With an available exploit and no official patch, this poses immediate risk to organizations using this Python library for file upload functionality.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 02:34

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using dash-uploader in web applications face critical risk, particularly: (1) Government agencies and NCA-regulated entities using Python-based document management systems; (2) Banking sector (SAMA-regulated) if dash-uploader is integrated in fintech platforms or payment processing dashboards; (3) Healthcare providers using Plotly Dash for medical data visualization and reporting; (4) Energy sector (ARAMCO, SEC) if used in operational dashboards; (5) Telecommunications (STC, Mobily) for customer portal file uploads. The lack of authentication requirement makes this exploitable against internet-facing applications without additional security controls.

🏢 Affected Saudi Sectors

Government Banking and Financial Services Healthcare Energy and Utilities Telecommunications Education E-commerce

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1204 - User Execution T1566 - Phishing T1105 - Ingress Tool Transfer T1570 - Lateral Tool Transfer

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all systems using dash-uploader v0.1.0 through v0.7.0a2 via dependency scanning (pip list, requirements.txt, poetry.lock)

2. Isolate affected applications from internet-facing access or place behind WAF with strict file upload rules

3. Implement network segmentation to limit lateral movement if RCE occurs

PATCHING GUIDANCE:

1. Upgrade to dash-uploader version > 0.7.0a2 when available (monitor fohrloop GitHub/PyPI)

2. If upgrade unavailable, consider alternative file upload libraries (Flask-Upload, django-storages)

3. Pin dependencies to prevent automatic updates to vulnerable versions

COMPENSATING CONTROLS (if upgrade delayed):

1. Implement strict input validation: reject max_file_size parameters outside expected ranges

2. Disable file upload functionality if not critical; use external storage services (AWS S3, Azure Blob) instead

3. Run application in restricted container with minimal privileges (non-root user, read-only filesystem)

4. Implement file type whitelisting and magic number validation

5. Disable Python code execution in upload directories (set appropriate file permissions)

DETECTION RULES:

1. Monitor HTTP requests with suspicious max_file_size values (negative, extremely large, special characters)

2. Alert on unexpected process spawning from Python/Dash application processes

3. Log all file uploads with size validation failures

4. Monitor for POST requests to /upload endpoints with Content-Length mismatches

5. Implement IDS signatures for dash-uploader exploitation patterns

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تستخدم dash-uploader من الإصدار 0.1.0 إلى 0.7.0a2 عبر فحص المكتبات (pip list, requirements.txt, poetry.lock)

2. عزل التطبيقات المتأثرة عن الوصول المباشر للإنترنت أو وضعها خلف جدار حماية تطبيقات بقواعد صارمة لتحميل الملفات

3. تطبيق تقسيم الشبكة لتحديد الحركة الجانبية في حالة حدوث RCE

إرشادات التصحيح:

1. الترقية إلى إصدار dash-uploader > 0.7.0a2 عند توفره (مراقبة GitHub و PyPI)

2. إذا لم يكن التحديث متاحاً، استخدم مكتبات بديلة لتحميل الملفات (Flask-Upload, django-storages)

3. تثبيت الإصدارات لمنع التحديثات التلقائية للإصدارات الضعيفة

الضوابط البديلة (إذا تأخر التحديث):

1. تطبيق التحقق الصارم من المدخلات: رفض معاملات max_file_size خارج النطاقات المتوقعة

2. تعطيل وظيفة تحميل الملفات إذا لم تكن حرجة؛ استخدم خدمات التخزين الخارجية (AWS S3, Azure Blob)

3. تشغيل التطبيق في حاوية مقيدة بامتيازات محدودة (مستخدم غير جذر، نظام ملفات للقراءة فقط)

4. تطبيق قائمة بيضاء لأنواع الملفات والتحقق من أرقام التوقيع

5. تعطيل تنفيذ أكواد Python في مجلدات التحميل (تعيين الأذونات المناسبة)

قواعد الكشف:

1. مراقبة طلبات HTTP بقيم max_file_size مريبة (سالبة، كبيرة جداً، أحرف خاصة)

2. تنبيهات عند ظهور عمليات غير متوقعة من عمليات Python/Dash

3. تسجيل جميع تحميلات الملفات مع فشل التحقق من الحجم

4. مراقبة طلبات POST إلى نقاط نهاية /upload مع عدم تطابق Content-Length

5. تطبيق توقيعات IDS لأنماط استغلال dash-uploader

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Monitoring of information systems ECC 2024 A.12.6.2 - Restrictions on software installation

🔵 SAMA CSF

SAMA CSF ID.BE-1 - Asset management and inventory SAMA CSF PR.DS-6 - Data security and integrity SAMA CSF DE.CM-1 - Detection and analysis SAMA CSF RS.MI-1 - Incident response and recovery

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Monitoring of information systems ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.8.1.1 - Inventory of assets

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 11.2 - Vulnerability scanning

🔗 References & Sources 10

🔗

https://docs.python.org/3/library/functions.html#all

cve@mitre.org

Product

🔗

https://github.com/a1ohadance/CVE-2026-38361

cve@mitre.org

Exploit Third Party Advisory

🔗

https://github.com/fohrloop/dash-uploader

cve@mitre.org

Product

🔗

https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py

cve@mitre.org

Product

🔗

https://github.com/fohrloop/dash-uploader/issues/153

cve@mitre.org

Product

🔗

https://libraries.io/pypi/dash-uploader

cve@mitre.org

Product

🔗

https://pepy.tech/project/dash-uploader

cve@mitre.org

Product

🔗

https://pypi.org/project/dash-uploader/

cve@mitre.org

Product

🔗

https://pypistats.org/packages/dash-uploader

cve@mitre.org

Product

🔗

https://github.com/a1ohadance/CVE-2026-38361

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Third Party Advisory

📦 Affected Products / CPE 3 entries

fohrloop:dash-uploader

fohrloop:dash-uploader:0.7.0

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-400

EPSS0.38%

Exploit ✓ Yes

Patch ✗ No

Published 2026-05-08

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-400

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-38361

Introduce Yourself

Sign In Required