Enrich GHSA-3rf6-x59v-5jfv (CVE-2026-38360, dash-uploader path traversal RCE)

[a1ohadance]

Enriches GHSA-3rf6-x59v-5jfv (CVE-2026-38360) with the metadata that's currently missing, blocking Dependabot from firing for users of dash-uploader.

Changes

• affected: was empty []. Now lists PyPI/dash-uploader with all 16 published releases (0.1.0 through 0.7.0a2) and an ECOSYSTEM range with last_affected: 0.7.0a2. The package was archived 2025-07-19; no patched version exists.
• summary: added (was missing).
• details: replaced the one-line auto-imported description with the full Impact / Affected versions / Mitigation / References sections, including the four impact escalation paths (.pth site-packages → RCE, WSGI module overwrite, SSH authorized_keys drop, JS XSS into Dash assets).
• credits: added (was missing) — Muhammad Fitri bin Mohd Sultan as FINDER.
• references: added cross-link to the companion advisory GHSA-xp7f-v245-w3w8 (CVE-2026-38361, the DoS-suite companion advisory). Tagged the upstream package URL with PACKAGE and the public PoC with EVIDENCE.

Verification

• JSON validates against https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json (OSV schema 1.4.0).
• All 16 versions cross-checked against https://pypi.org/pypi/dash-uploader/json.
• Companion advisory enrichment for GHSA-xp7f-v245-w3w8 submitted as a separate PR per the contribution guide's "one advisory per PR" rule.

Why this matters

The advisory is currently "affected": [], which means Dependabot does not fire for any user with dash-uploader in their requirements.txt / pyproject.toml. The whole defensive value of GHSA — automatic alerts to dependents of an abandoned package — is gated on populating that field. This PR populates it.

Disclosure context

• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-38360
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38360
• Public PoC: https://github.com/a1ohadance/CVE-2026-38360
• Upstream issue (archived repo): dash-uploader is archived fohrloop/dash-uploader#153