Skip to main content

DumbAssets EUVDEUVD-2026-30792

| CVE-2026-45231 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 VulnCheck GHSA-9ccf-75hj-3v32
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 18, 2026 - 19:32 vuln.today
Analysis Generated
May 18, 2026 - 19:32 vuln.today
CVSS changed
May 18, 2026 - 19:22 NVD
6.1 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.

AnalysisAI

Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.

Technical ContextAI

DumbAssets (CPE: cpe:2.3:a:dumbwareio:dumbassets:*:*:*:*:*:*:*:*) is a self-hosted IT asset management application by DumbWareio. The vulnerability is a classic stored CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) instance: attacker-controlled asset field values are written to the backend without sanitization and then injected into HTML via JavaScript template literals that assign to innerHTML, bypassing native browser XSS mitigations that only apply to parser-based DOM APIs. The PR #135 diff confirms the vulnerable paths span at least two client-side modules: dashboardManager.js interpolated raw event.name, event.details, event.notes, event.type, event.parentAsset, and event.id directly; script.js did the same for subAsset.name, subAsset.id, subAsset.modelNumber, subAsset.serialNumber, subAsset.tags, and file path attributes. The fix introduces a shared escapeHtml() utility from /src/services/render/escape.js applied at every interpolation site.

RemediationAI

The upstream fix is available via GitHub PR #135 (https://github.com/DumbWareio/DumbAssets/pull/135), which introduces a shared escapeHtml() utility applied across all affected innerHTML interpolation points in dashboardManager.js and script.js. This is an upstream PR and not yet a confirmed tagged release, so operators should monitor the DumbWareio/DumbAssets repository for a published release incorporating this fix and upgrade immediately upon availability. As an interim compensating control, deploying a strict Content-Security-Policy response header (e.g., default-src 'self'; script-src 'self') will prevent injected scripts from making outbound connections to internal services, materially reducing the highest-severity impact pathway described in the CVE - note that CSP does not prevent script execution entirely if the application itself loads inline scripts, so a carefully tuned policy is required. Restricting write access to the asset API endpoints to authenticated and authorized users only reduces the attack surface by preventing untrusted parties from injecting payloads; the trade-off is that this may conflict with intended open-API deployments. Audit existing asset records for suspicious HTML or JavaScript content in name, description, modelNumber, serialNumber, and tags fields as a post-incident hygiene step.

Share

EUVD-2026-30792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy