CVE-2026-45231 is a stored cross-site scripting issue in DumbAssets through 1.0.11. Asset fields such as name, description, modelNumber, serialNumber, and tags are stored without server-side sanitization and later rendered with innerHTML, allowing attacker-supplied HTML or JavaScript to execute in the browsers of users who view affected asset pages. The supplied advisory also notes that if Content-Securit [truncated]
CVE-2026-45230 describes a path traversal issue in DumbAssets through 1.0.11 affecting the POST /api/delete-file endpoint and filesToDelete array parameters. An unauthenticated attacker can supply ../ sequences to bypass directory boundary checks and delete files outside the intended application directory, including critical application files such as server.js or package.json. The practical impact is comp [truncated]
