From 53b5b0a6389d61aa04684d8cc1c1140de43e3429 Mon Sep 17 00:00:00 2001
From: Fitri Sultan <34848106+a1ohadance@users.noreply.github.com>
Date: Sun, 10 May 2026 02:49:48 +0800
Subject: [PATCH 1/2] Enrich GHSA-3rf6-x59v-5jfv (CVE-2026-38360) with PyPI
 package, versions, credits, mitigation

---
 .../GHSA-3rf6-x59v-5jfv.json                  | 72 ++++++++++++++++---
 1 file changed, 64 insertions(+), 8 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json b/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
index c2a9377d3adf2..5b7f7b2eba562 100644
--- a/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
+++ b/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
@@ -6,15 +6,62 @@
   "aliases": [
     "CVE-2026-38360"
   ],
-  "details": "Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components",
+  "summary": "dash-uploader vulnerable to unauthenticated path traversal leading to remote code execution",
+  "details": "### Impact\n\nAn unauthenticated path traversal vulnerability exists in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at `dash_uploader/httprequesthandler.py` reads three form parameters (`upload_id`, `resumableFilename`, `resumableIdentifier`) from `request.form.get()` and passes them directly to `os.path.join()` and `os.makedirs()` without any sanitization.\n\nA single unauthenticated `POST /API/dash-uploader` request with `upload_id` set to a relative path (e.g. `../../etc/cron.d` or `../venv/lib/python3.13/site-packages`) escapes the application's `uploads/` directory and writes the supplied file content to the chosen target path under the privilege of the gunicorn / WSGI process.\n\nWhen the chosen target is a Python `site-packages` directory and the dropped file is a `.pth` file containing an `import`-prefixed line, Python's `site` module executes that line on the next interpreter startup, yielding remote code execution. Other escalation paths reachable from the same primitive include overwriting the running WSGI module, dropping `~/.ssh/authorized_keys`, or writing JavaScript into a Dash-served `assets/` directory for stored XSS.\n\n### Affected versions\n\nAll 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**.\n\n### Mitigation\n\nReplace `dash-uploader` with an alternative file-upload component (for example, `dash-resumable-upload`, server-rendered `<input type=\"file\">` plus a hardened Flask endpoint, or a maintained Dash community alternative). There is no upstream fix path.\n\nWhile a replacement is being deployed, mitigations include:\n\n* Block `POST /API/dash-uploader` at an upstream proxy, OR\n* Run the application as an unprivileged user with no write access to its own `site-packages`, OR\n* Use a read-only filesystem for the application's code directories.\n\nThis is a companion advisory to [GHSA-xp7f-v245-w3w8](https://github.com/advisories/GHSA-xp7f-v245-w3w8) (CVE-2026-38361), a multi-vector denial-of-service suite in the same library reachable through the same endpoint.\n\n### References\n\n* Public PoC: <https://github.com/a1ohadance/CVE-2026-38360>\n* NVD: <https://nvd.nist.gov/vuln/detail/CVE-2026-38360>\n* CVE record: <https://www.cve.org/CVERecord?id=CVE-2026-38360>\n* Upstream issue (archived repo): <https://github.com/fohrloop/dash-uploader/issues/153>",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "dash-uploader",
+        "purl": "pkg:pypi/dash-uploader"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.1.0"
+            },
+            {
+              "last_affected": "0.7.0a2"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "0.1.0",
+        "0.1.1",
+        "0.1.2",
+        "0.2.0",
+        "0.2.3",
+        "0.2.4",
+        "0.3.0",
+        "0.3.1",
+        "0.4.0",
+        "0.4.1",
+        "0.4.2",
+        "0.5.0",
+        "0.6.0",
+        "0.6.1",
+        "0.7.0a1",
+        "0.7.0a2"
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.7.0a2"
+      }
+    }
+  ],
   "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://github.com/a1ohadance/CVE-2026-38360"
+    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38360"
@@ -24,11 +71,7 @@
       "url": "https://github.com/fohrloop/dash-uploader/issues/153"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/a1ohadance/CVE-2026-38360"
-    },
-    {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/fohrloop/dash-uploader"
     },
     {
@@ -42,6 +85,19 @@
     {
       "type": "WEB",
       "url": "https://pypi.org/project/dash-uploader"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/advisories/GHSA-xp7f-v245-w3w8"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Muhammad Fitri bin Mohd Sultan",
+      "type": "FINDER",
+      "contact": [
+        "https://github.com/a1ohadance"
+      ]
     }
   ],
   "database_specific": {
@@ -53,4 +109,4 @@
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T17:16:30Z"
   }
-}
\ No newline at end of file
+}

From ad3da483a0d42d838ff0056acb33f437fca6383d Mon Sep 17 00:00:00 2001
From: Fitri Sultan <34848106+a1ohadance@users.noreply.github.com>
Date: Sun, 10 May 2026 02:55:27 +0800
Subject: [PATCH 2/2] Drop explicit versions list per processor feedback; keep
 ECOSYSTEM range events

---
 .../GHSA-3rf6-x59v-5jfv.json                  | 23 +------------------
 1 file changed, 1 insertion(+), 22 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json b/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
index 5b7f7b2eba562..97ed603dab3b4 100644
--- a/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
+++ b/advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
@@ -33,28 +33,7 @@
             }
           ]
         }
-      ],
-      "versions": [
-        "0.1.0",
-        "0.1.1",
-        "0.1.2",
-        "0.2.0",
-        "0.2.3",
-        "0.2.4",
-        "0.3.0",
-        "0.3.1",
-        "0.4.0",
-        "0.4.1",
-        "0.4.2",
-        "0.5.0",
-        "0.6.0",
-        "0.6.1",
-        "0.7.0a1",
-        "0.7.0a2"
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 0.7.0a2"
-      }
+      ]
     }
   ],
   "references": [