Description
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
Published: 2026-05-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified flaw is a stored cross‑site scripting (XSS) vulnerability in DumbAssets version 1.0.11. Asset fields such as name, description, modelNumber, serialNumber, and tags are saved without server‑side sanitization and then rendered using innerHTML with no client‑side escaping. An attacker can inject JavaScript when creating or updating an asset via the API. When a user views the asset list, the malicious script executes in that user’s browser. If a Content‑Security‑Policy is not enabled, the script can establish unrestricted connections to internal services, potentially exfiltrating data or performing other malicious actions.

Affected Systems

The affected product is DumbWareio’s DumbAssets, all installations using version 1.0.11 are vulnerable. Updates released after this version contain the fix.

Risk and Exploitability

The CVSS base score of 5.3 indicates Medium severity. EPSS is not reported, and the vulnerability is not listed in the CISA KEV catalog. The most likely exploitation path requires an attacker to authenticate or otherwise gain the privilege to create or modify assets via the asset API. Lacking a Content‑Security‑Policy, the injected payload can reach internal network services, meaning a successful exploit could lead to data theft, further compromise, or improper privilege escalation. Even without a CSP, the script would still run in the affected user’s browser, so the attack vector is a web‑based XSS via the asset API.

Generated by OpenCVE AI on May 18, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DumbAssets to a version released after 1.0.11 when the vendor provides a patch.
  • Restrict access to the asset creation and update API endpoints, ensuring only trusted administrative accounts can modify asset data.
  • Implement a strong Content‑Security‑Policy that disallows inline scripts and restricts outbound connections to only necessary domains.

Generated by OpenCVE AI on May 18, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
Title DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T18:40:42.980Z

Reserved: 2026-05-11T14:14:49.612Z

Link: CVE-2026-45231

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-18T19:16:27.623

Modified: 2026-05-18T19:42:03.353

Link: CVE-2026-45231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T20:30:05Z

Weaknesses