CVE-2026-45231 MEDIUM

CVE-2026-45231: DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields

Vendor Dumbwareio
Product DumbAssets
Weakness CWE-79 · XSS
Published May 18, 2026
Last update May 19, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.

Key dates

02Disclosure timeline

May 18, 2026 CVE published
May 19, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-43262 WordPress Busiprof theme <= 2.4.8 - Cross Site Scripting (XSS) vulnerability CVE-2025-57935 WordPress Bot Block – Stop Spam Referrals in Google Analytics Plugin <= 2.6 - Cross Site Scripting (XSS) Vulnerability CVE-2025-26929 WordPress Accounting for WooCommerce plugin <= 1.6.8 - Cross Site Scripting (XSS) vulnerability CVE-2025-23653 WordPress Form To Online Booking plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-31136 Cross-site Scripting in BookWyrm