CVE-2026-45231
MEDIUMDumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields
Title source: cnaDescription
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
References (2)
Core 2
Core References
Patch issue-tracking
patch
https://github.com/DumbWareio/DumbAssets/pull/135
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/dumbassets-stored-cross-site-scripting-via-asset-fields
Scores
CVSS v3
6.1
EPSS
0.0019
EPSS Percentile
8.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
DumbWareio/DumbAssets
< 1.0.11
Published
May 18, 2026
Tracked Since
May 19, 2026