CVE Catalog

CVE-2026-45231

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile - higher than 8% of all known CVEs

Summary

DumbAssets through version 1.0.11 has a stored cross-site scripting vulnerability in asset fields such as name, description, modelNumber, serialNumber, and tags. These fields are stored without server-side sanitization and rendered via innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads through the asset API to execute arbitrary scripts in the browsers of users viewing the asset list.

Risk Assessment

The risk includes session theft, account takeover, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services, potentially leading to further compromise of the organization's infrastructure.

Recommendation

Immediately upgrade DumbAssets to a version later than 1.0.11, implement server-side input sanitization and client-side output escaping, and enable Content-Security-Policy to restrict script execution.

Original NVD description (English source)

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS