Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
AnalysisAI
Arbitrary file deletion in DumbAssets through 1.0.11 lets unauthenticated remote attackers destroy any file the Node.js process can write to by submitting ../ sequences in the filesToDelete array of the POST /api/delete-file endpoint. Because authentication on the application is optional and disabled by default, exposed instances can be rendered completely non-functional by deleting critical files such as server.js or package.json. No public exploit identified at time of analysis, and the CVE is not currently on the CISA KEV list.
Technical ContextAI
DumbAssets is a self-hosted asset/inventory tracker from DumbWareio built on Node.js/Express. The flaw is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in server.js: user-supplied paths from /api/delete-file were stripped of a leading slash and concatenated with DATA_DIR via path.join, which does not normalize away .. segments before they escape the intended directory. The upstream fix in PR #136 introduces a resolveDataFilePath() helper that uses path.resolve plus an explicit prefix check against DATA_DIR and an allowlist of legitimate subdirectories (Images, Receipts, Manuals), rejecting anything that resolves outside that scope.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes from https://github.com/DumbWareio/DumbAssets/pull/136, which add a resolveDataFilePath() allowlist check against DATA_DIR/{Images,Receipts,Manuals}, or upgrade to the first tagged DumbAssets release that includes that commit once available. Until a tagged release is consumed, operators should enable the application's optional authentication (the default-off control referenced in the advisory), place DumbAssets behind an authenticated reverse proxy or VPN, and block external access to POST /api/delete-file; note that enabling auth will require provisioning credentials for every existing user and may break unattended scripts that hit the API. See also the VulnCheck advisory at https://www.vulncheck.com/advisories/dumbassets-path-traversal-file-deletion-via-api-delete-file.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30790
GHSA-7x5q-37jc-hq6p