Description
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
Published: 2026-05-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Dumbwareio
Dumbwareio dumbassets
Vendors & Products Dumbwareio
Dumbwareio dumbassets

Mon, 18 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
Title DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Dumbwareio Dumbassets
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:16:34.308Z

Reserved: 2026-05-11T14:14:49.612Z

Link: CVE-2026-45231

cve-icon Vulnrichment

Updated: 2026-05-19T12:50:11.041Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T19:16:27.623

Modified: 2026-06-17T10:51:48.633

Link: CVE-2026-45231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:18:47Z

Weaknesses