diff --git a/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json b/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
index c2a9377d3adf2..97ed603dab3b4 100644
--- a/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
+++ b/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
@@ -6,15 +6,41 @@
   "aliases": [
     "CVE-2026-38360"
   ],
-  "details": "Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components",
+  "summary": "dash-uploader vulnerable to unauthenticated path traversal leading to remote code execution",
+  "details": "### Impact\n\nAn unauthenticated path traversal vulnerability exists in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at `dash_uploader/httprequesthandler.py` reads three form parameters (`upload_id`, `resumableFilename`, `resumableIdentifier`) from `request.form.get()` and passes them directly to `os.path.join()` and `os.makedirs()` without any sanitization.\n\nA single unauthenticated `POST /API/dash-uploader` request with `upload_id` set to a relative path (e.g. `../../etc/cron.d` or `../venv/lib/python3.13/site-packages`) escapes the application's `uploads/` directory and writes the supplied file content to the chosen target path under the privilege of the gunicorn / WSGI process.\n\nWhen the chosen target is a Python `site-packages` directory and the dropped file is a `.pth` file containing an `import`-prefixed line, Python's `site` module executes that line on the next interpreter startup, yielding remote code execution. Other escalation paths reachable from the same primitive include overwriting the running WSGI module, dropping `~/.ssh/authorized_keys`, or writing JavaScript into a Dash-served `assets/` directory for stored XSS.\n\n### Affected versions\n\nAll 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**.\n\n### Mitigation\n\nReplace `dash-uploader` with an alternative file-upload component (for example, `dash-resumable-upload`, server-rendered `<input type=\"file\">` plus a hardened Flask endpoint, or a maintained Dash community alternative). There is no upstream fix path.\n\nWhile a replacement is being deployed, mitigations include:\n\n* Block `POST /API/dash-uploader` at an upstream proxy, OR\n* Run the application as an unprivileged user with no write access to its own `site-packages`, OR\n* Use a read-only filesystem for the application's code directories.\n\nThis is a companion advisory to [GHSA-xp7f-v245-w3w8](https://github.com/advisories/GHSA-xp7f-v245-w3w8) (CVE-2026-38361), a multi-vector denial-of-service suite in the same library reachable through the same endpoint.\n\n### References\n\n* Public PoC: <https://github.com/a1ohadance/CVE-2026-38360>\n* NVD: <https://nvd.nist.gov/vuln/detail/CVE-2026-38360>\n* CVE record: <https://www.cve.org/CVERecord?id=CVE-2026-38360>\n* Upstream issue (archived repo): <https://github.com/fohrloop/dash-uploader/issues/153>",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "dash-uploader",
+        "purl": "pkg:pypi/dash-uploader"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.1.0"
+            },
+            {
+              "last_affected": "0.7.0a2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://github.com/a1ohadance/CVE-2026-38360"
+    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38360"
@@ -24,11 +50,7 @@
       "url": "https://github.com/fohrloop/dash-uploader/issues/153"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/a1ohadance/CVE-2026-38360"
-    },
-    {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/fohrloop/dash-uploader"
     },
     {
@@ -42,6 +64,19 @@
     {
       "type": "WEB",
       "url": "https://pypi.org/project/dash-uploader"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/advisories/GHSA-xp7f-v245-w3w8"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Muhammad Fitri bin Mohd Sultan",
+      "type": "FINDER",
+      "contact": [
+        "https://github.com/a1ohadance"
+      ]
     }
   ],
   "database_specific": {
@@ -53,4 +88,4 @@
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T17:16:30Z"
   }
-}
\ No newline at end of file
+}