Vulnerability Details CVE-2026-38361
Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2. The chunked-upload handler (dash_uploader/httprequesthandler.py, dash_uploader/upload.py) trusts unsanitized, attacker-controlled upload parameters (e.g. flowTotalChunks) and does not enforce the documented max_file_size limit, allowing a remote, unauthenticated attacker to cause an out-of-memory (OOM) process crash (unbounded range(1, flowTotalChunks + 1) allocation), truncation of the target file to zero bytes (flowTotalChunks=0, where the all([]) == True quirk runs the file-assembly branch on zero chunks), permanent disk exhaustion (never-cleaned-up temporary directories per flowIdentifier), and a complete bypass of the documented max_file_size limit.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.026
EPSS Ranking 83.7%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-38361
-
cpe:2.3:a:fohrloop:dash-uploader:0.1.0
-
cpe:2.3:a:fohrloop:dash-uploader:0.1.1
-
cpe:2.3:a:fohrloop:dash-uploader:0.1.2
-
cpe:2.3:a:fohrloop:dash-uploader:0.2.0
-
cpe:2.3:a:fohrloop:dash-uploader:0.2.3
-
cpe:2.3:a:fohrloop:dash-uploader:0.2.4
-
cpe:2.3:a:fohrloop:dash-uploader:0.3.0
-
cpe:2.3:a:fohrloop:dash-uploader:0.3.1
-
cpe:2.3:a:fohrloop:dash-uploader:0.4.0
-
cpe:2.3:a:fohrloop:dash-uploader:0.4.1
-
cpe:2.3:a:fohrloop:dash-uploader:0.4.2
-
cpe:2.3:a:fohrloop:dash-uploader:0.5.0
-
cpe:2.3:a:fohrloop:dash-uploader:0.6.1
-
cpe:2.3:a:fohrloop:dash-uploader:0.7.0