Skip to main content

DumbAssets CVE-2026-45230

| EUVDEUVD-2026-30790 HIGH
Path Traversal (CWE-22)
2026-05-18 disclosure@vulncheck.com GHSA-7x5q-37jc-hq6p
8.8
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:33 vuln.today
Analysis Generated
May 18, 2026 - 18:33 vuln.today

DescriptionCVE.org

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.

AnalysisAI

Arbitrary file deletion in DumbAssets through 1.0.11 lets unauthenticated remote attackers destroy any file the Node.js process can write to by submitting ../ sequences in the filesToDelete array of the POST /api/delete-file endpoint. Because authentication on the application is optional and disabled by default, exposed instances can be rendered completely non-functional by deleting critical files such as server.js or package.json. No public exploit identified at time of analysis, and the CVE is not currently on the CISA KEV list.

Technical ContextAI

DumbAssets is a self-hosted asset/inventory tracker from DumbWareio built on Node.js/Express. The flaw is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in server.js: user-supplied paths from /api/delete-file were stripped of a leading slash and concatenated with DATA_DIR via path.join, which does not normalize away .. segments before they escape the intended directory. The upstream fix in PR #136 introduces a resolveDataFilePath() helper that uses path.resolve plus an explicit prefix check against DATA_DIR and an allowlist of legitimate subdirectories (Images, Receipts, Manuals), rejecting anything that resolves outside that scope.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes from https://github.com/DumbWareio/DumbAssets/pull/136, which add a resolveDataFilePath() allowlist check against DATA_DIR/{Images,Receipts,Manuals}, or upgrade to the first tagged DumbAssets release that includes that commit once available. Until a tagged release is consumed, operators should enable the application's optional authentication (the default-off control referenced in the advisory), place DumbAssets behind an authenticated reverse proxy or VPN, and block external access to POST /api/delete-file; note that enabling auth will require provisioning credentials for every existing user and may break unattended scripts that hit the API. See also the VulnCheck advisory at https://www.vulncheck.com/advisories/dumbassets-path-traversal-file-deletion-via-api-delete-file.

Share

CVE-2026-45230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy