CVE 8.8 HIGH

DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file_CVE-2026-45230

May 18, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Description

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.

AI Analysis

Path traversal vulnerability in DumbAssets via /api/delete-file endpoint, allowing unauthenticated attackers to delete arbitrary files

Basic Information

ID CVE-2026-45230

Source VulnCheck

Published May 18, 2026 at 18:06

Affected Product

Vendor DumbWareio

Product DumbAssets

Version 1.0.11

Affected Versions DumbWareio DumbAssets 0

CWE Classification

CWE-22

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor DumbWareio

Product DumbAssets

Version 1.0.11

References

{
    "lastseen": "",
    "description": "DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.",
    "published": "2026-05-18T18:06:56.344Z",
    "modified": "2026-05-18T18:06:56.344Z",
    "type": "cve",
    "title": "DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file",
    "source": "VulnCheck",
    "references": "https://github.com/DumbWareio/DumbAssets/pull/136\nhttps://www.vulncheck.com/advisories/dumbassets-path-traversal-file-deletion-via-api-delete-file",
    "id": "CVE-2026-45230",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "DumbWareio DumbAssets 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DumbAssets",
    "version": "1.0.11",
    "vendor": "DumbWareio",
    "ai_description": "Path traversal vulnerability in DumbAssets via /api/delete-file endpoint, allowing unauthenticated attackers to delete arbitrary files",
    "ai_severity": "High",
    "ai_vendor": "DumbWareio",
    "ai_product": "DumbAssets",
    "ai_version": "1.0.11",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply