CVE-2026-38361
CVE-2026-38361
Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2. The chunked-upload handler (dash_uploader/httprequesthandler.py, dash_uploader/upload.py) trusts unsanitized, attacker-controlled upload parameters (e.g. flowTotalChunks) and does not enforce the documented max_file_size limit, allowing a remote, unauthenticated attacker to cause an out-of-memory (OOM) process crash (unbounded range(1, flowTotalChunks + 1) allocation), truncation of the target file to zero bytes (flowTotalChunks=0, where the all([]) == True quirk runs the file-assembly branch on zero chunks), permanent disk exhaustion (never-cleaned-up temporary directories per flowIdentifier), and a complete bypass of the documented max_file_size limit.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/apublic PoCs found — 1
githubgithub.com/a1ohadance/CVE-2026-38361★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://docs.python.org/3/library/functions.html#allhttps://github.com/a1ohadance/CVE-2026-38361https://github.com/advisories/GHSA-xp7f-v245-w3w8https://github.com/fohrloop/dash-uploaderhttps://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.pyhttps://github.com/fohrloop/dash-uploader/issues/153https://github.com/github/advisory-database/pull/7636https://libraries.io/pypi/dash-uploaderhttps://pepy.tech/project/dash-uploaderhttps://pypi.org/project/dash-uploader/https://pypistats.org/packages/dash-uploader