CVE-2026-45230— DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DumbWareio | DumbAssets | ≤ 1.0.11 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45230
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file
Source: NVD (National Vulnerability Database)
Vulnerability Description
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
DumbAssets 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
DumbAssets是DumbWare开源的一款物理资产追踪管理工具。 DumbAssets 1.0.11及之前版本存在路径遍历漏洞,该漏洞源于POST /api/delete-file端点和filesToDelete数组参数中的路径遍历问题,可能导致未认证攻击者通过提供../序列绕过目录边界验证删除任意文件。攻击者可以利用可选且默认禁用的身份验证控制遍历出预期应用目录,删除关键文件如server.js或package.json,造成完全拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| DumbWareio | DumbAssets | 0 ~ 1.0.11 | - |
II. Public POCs for CVE-2026-45230
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45230
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: DumbWareio
Same weakness: CWE-22
- CVE-2026-39405
Frappe has Path Transversal via SCORM - CVE-2026-39352
Frappe has an Arbitrary File Read via Path Traversal in rend - CVE-2026-9129
Path Traversal in Altium Enterprise Server Viewer StorageCon - CVE-2026-9102
Path Traversal in Altium Enterprise Server ComparisonService - CVE-2026-24209
NVIDIA Triton Inference Server路径穿越漏洞
V. Comments for CVE-2026-45230
No comments yet