Enrich GHSA-3rf6-x59v-5jfv (CVE-2026-38360, dash-uploader path traversal RCE)

[a1ohadance]

Enriches GHSA-3rf6-x59v-5jfv (CVE-2026-38360) with the metadata that's currently missing, blocking Dependabot from firing for users of dash-uploader.

Changes

• affected: was empty []. Now lists PyPI/dash-uploader with all 16 published releases (0.1.0 through 0.7.0a2) and an ECOSYSTEM range with last_affected: 0.7.0a2. The package was archived 2025-07-19; no patched version exists.
• summary: added (was missing).
• details: replaced the one-line auto-imported description with the full Impact / Affected versions / Mitigation / References sections, including the four impact escalation paths (.pth site-packages → RCE, WSGI module overwrite, SSH authorized_keys drop, JS XSS into Dash assets).
• credits: added (was missing) — Muhammad Fitri bin Mohd Sultan as FINDER.
• references: added cross-link to the companion advisory GHSA-xp7f-v245-w3w8 (CVE-2026-38361, the DoS-suite companion advisory). Tagged the upstream package URL with PACKAGE and the public PoC with EVIDENCE.

Verification

• JSON validates against https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json (OSV schema 1.4.0).
• All 16 versions cross-checked against https://pypi.org/pypi/dash-uploader/json.
• Companion advisory enrichment for GHSA-xp7f-v245-w3w8 submitted as a separate PR per the contribution guide's "one advisory per PR" rule.

Why this matters

The advisory is currently "affected": [], which means Dependabot does not fire for any user with dash-uploader in their requirements.txt / pyproject.toml. The whole defensive value of GHSA — automatic alerts to dependents of an abandoned package — is gated on populating that field. This PR populates it.

Disclosure context

• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-38360
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38360
• Public PoC: https://github.com/a1ohadance/CVE-2026-38360
• Upstream issue (archived repo): dash-uploader is archived fohrloop/dash-uploader#153

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[a1ohadance]

Still relevant and ready to merge. Could a maintainer review when there's capacity?

This populates the currently empty affected field for dash-uploader (all 16 PyPI releases, 0.1.0 through 0.7.0a2, with last_affected: 0.7.0a2) plus the missing summary, details, credits, and references. Until affected is set, Dependabot does not alert any project depending on this archived package.

Re-verified today: the JSON still validates against the OSV 1.4.0 schema and all 16 versions still cross-check against the PyPI JSON. This is the path-traversal-to-RCE companion to #7636 (CVE-2026-38361); happy to rebase or adjust formatting if needed.

[advisory-database]

Hi @a1ohadance! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!