Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
AnalysisAI
Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.
Technical ContextAI
DumbAssets (CPE: cpe:2.3:a:dumbwareio:dumbassets:*:*:*:*:*:*:*:*) is a self-hosted IT asset management application by DumbWareio. The vulnerability is a classic stored CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) instance: attacker-controlled asset field values are written to the backend without sanitization and then injected into HTML via JavaScript template literals that assign to innerHTML, bypassing native browser XSS mitigations that only apply to parser-based DOM APIs. The PR #135 diff confirms the vulnerable paths span at least two client-side modules: dashboardManager.js interpolated raw event.name, event.details, event.notes, event.type, event.parentAsset, and event.id directly; script.js did the same for subAsset.name, subAsset.id, subAsset.modelNumber, subAsset.serialNumber, subAsset.tags, and file path attributes. The fix introduces a shared escapeHtml() utility from /src/services/render/escape.js applied at every interpolation site.
RemediationAI
The upstream fix is available via GitHub PR #135 (https://github.com/DumbWareio/DumbAssets/pull/135), which introduces a shared escapeHtml() utility applied across all affected innerHTML interpolation points in dashboardManager.js and script.js. This is an upstream PR and not yet a confirmed tagged release, so operators should monitor the DumbWareio/DumbAssets repository for a published release incorporating this fix and upgrade immediately upon availability. As an interim compensating control, deploying a strict Content-Security-Policy response header (e.g., default-src 'self'; script-src 'self') will prevent injected scripts from making outbound connections to internal services, materially reducing the highest-severity impact pathway described in the CVE - note that CSP does not prevent script execution entirely if the application itself loads inline scripts, so a carefully tuned policy is required. Restricting write access to the asset API endpoints to authenticated and authorized users only reduces the attack surface by preventing untrusted parties from injecting payloads; the trade-off is that this may conflict with intended open-API deployments. Audit existing asset records for suspicious HTML or JavaScript content in name, description, modelNumber, serialNumber, and tags fields as a post-incident hygiene step.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30792
GHSA-9ccf-75hj-3v32