Description
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
Published: 2026-05-18
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the POST /api/delete-file endpoint of DumbAssets 1.0.11. The filesToDelete array accepts "../" sequences that bypass directory boundary checks, enabling attackers to remove any file on the host system. By deleting critical files such as server.js or package.json, an attacker can render the application inoperable, resulting in denial of service.

Affected Systems

This issue affects DumbWareio DumbAssets version 1.0.11 and any earlier releases. No other products or versions are currently known to be impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity, and the EPSS score is not available but the remote, unauthenticated nature of the API suggests that exploitation is feasible. The vulnerability is not yet listed in CISA's KEV catalog. Attackers can exploit the flaws by sending crafted POST requests to the vulnerable endpoint from any network location, without authentication, and achieving arbitrary file deletion.

Generated by OpenCVE AI on May 18, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of DumbAssets released after 1.0.11 that fixes the path traversal bug.
  • Disable or remove the POST /api/delete-file endpoint until a secure version is available.
  • Enforce authentication on the delete-file API to prevent unauthenticated access.
  • Sanitize and validate all file paths received by the delete-file API, rejecting relative path sequences and enforcing access to a predefined safe directory.

Generated by OpenCVE AI on May 18, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
Title DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T21:28:45.184Z

Reserved: 2026-05-11T14:14:49.612Z

Link: CVE-2026-45230

cve-icon Vulnrichment

Updated: 2026-05-18T21:25:22.416Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T18:17:37.070

Modified: 2026-05-18T19:42:03.353

Link: CVE-2026-45230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T19:30:26Z

Weaknesses