Which versions of DumbAssets are affected by EUVD-2026-30790?

DumbAssets versions 1.0.11 and earlier contain a critical flaw enabling any unauthenticated attacker to permanently delete arbitrary files, including essential application files, on exposed systems.

DumbAssets EUVD-2026-30790

Q: What is the CVSS score of EUVD-2026-30790?

EUVD-2026-30790 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

| CVE-2026-45230 HIGH

Path Traversal (CWE-22)

2026-05-18 disclosure@vulncheck.com

GHSA-7x5q-37jc-hq6p

Denial Of Service Path Traversal

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 18:33 vuln.today

Analysis Generated

May 18, 2026 - 18:33 vuln.today

DescriptionNVD

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.

AnalysisAI

Arbitrary file deletion in DumbAssets through 1.0.11 lets unauthenticated remote attackers destroy any file the Node.js process can write to by submitting ../ sequences in the filesToDelete array of the POST /api/delete-file endpoint. Because authentication on the application is optional and disabled by default, exposed instances can be rendered completely non-functional by deleting critical files such as server.js or package.json. …

RemediationAI

Within 24 hours: Immediately restrict network access to all DumbAssets POST /api/delete-file endpoints via firewall or WAF rules; audit all deployments to identify versions 1.0.11 and earlier and verify authentication is enabled. Within 7 days: Implement Web Application Firewall rules blocking POST requests to /api/delete-file; deploy file integrity monitoring on application server directories; enforce mandatory authentication on all DumbAssets instances regardless of deployment configuration. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30790 vulnerability details – vuln.today

Back

DumbAssets EUVD-2026-30790

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

DumbAssets EUVD-2026-30790

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code