CVE-2026-45230 HIGH

CVE-2026-45230: DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file

Vendor Dumbwareio
Product DumbAssets
Weakness CWE-22 · Path traversal
Published May 18, 2026
Last update May 18, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.

Key dates

02Disclosure timeline

May 18, 2026 CVE published
May 18, 2026 Record updated