CVE-2026-45231
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
DumbAssets through version 1.0.11 has a stored cross-site scripting vulnerability in asset fields such as name, description, modelNumber, serialNumber, and tags. These fields are stored without server-side sanitization and rendered via innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads through the asset API to execute arbitrary scripts in the browsers of users viewing the asset list.
Risk Assessment
The risk includes session theft, account takeover, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services, potentially leading to further compromise of the organization's infrastructure.
Recommendation
Immediately upgrade DumbAssets to a version later than 1.0.11, implement server-side input sanitization and client-side output escaping, and enable Content-Security-Policy to restrict script execution.
Original NVD description (English source)
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.

