CVE-2026-45230
published 2026-05-18CVE-2026-45230: DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows…
PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.63%
45.5th percentile
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dumbwareio | dumbassets | <= 1.0.11 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
DumbWareio DumbAssets up to 1.0.11 /api/delete-file path traversal (EUVD-2026-30790)
vuldb·2026-05-18·CVSS 8.8
CVE-2026-45230 [HIGH] DumbWareio DumbAssets up to 1.0.11 /api/delete-file path traversal (EUVD-2026-30790)
A vulnerability was found in DumbWareio DumbAssets up to 1.0.11. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/delete-file. Such manipulation leads to path traversal.
This vulnerability is documented as CVE-2026-45230. The attack can be executed remotely. There is not any exploit available.
Applying a patch is advised to resolve this issue.
GHSA
GHSA-7x5q-37jc-hq6p: DumbAssets through 1
ghsa_unreviewed·2026-05-18
CVE-2026-45230 [HIGH] CWE-22 GHSA-7x5q-37jc-hq6p: DumbAssets through 1
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-18
Published