CVE-2026-45231
published 2026-05-18CVE-2026-45231: DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.19%
8.4th percentile
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dumbwareio | dumbassets | <= 1.0.11 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
DumbWareio DumbAssets up to 1.0.11 Asset API Endpoint cross site scripting
vuldb·2026-05-19·CVSS 5.3
CVE-2026-45231 [MEDIUM] DumbWareio DumbAssets up to 1.0.11 Asset API Endpoint cross site scripting
A vulnerability labeled as problematic has been found in DumbWareio DumbAssets up to 1.0.11. The impacted element is an unknown function of the component Asset API Endpoint. Such manipulation leads to cross site scripting.
This vulnerability is traded as CVE-2026-45231. The attack may be launched remotely. There is no exploit available.
A patch should be applied to remediate this issue.
GHSA
GHSA-9ccf-75hj-3v32: DumbAssets through 1
ghsa_unreviewed·2026-05-18
CVE-2026-45231 [MEDIUM] CWE-79 GHSA-9ccf-75hj-3v32: DumbAssets through 1
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-18
Published