CVE-2026-45230

Name of the Vulnerable Software and Affected Versions DumbAssets versions 1.0 through 1.0.11

Description A path traversal issue exists in the 'POST /api/delete-file' endpoint via the filesToDelete array parameters. This allows unauthenticated attackers to bypass directory boundary validation by using ../ sequences to traverse outside the intended application directory. This can lead to the deletion of critical files, such as server.js or package.json, resulting in a complete denial of service. Path traversal is a technique used to access files and directories that are stored outside the web root folder.

Recommendations For versions 1.0 through 1.0.11, avoid using the filesToDelete parameter in the 'POST /api/delete-file' endpoint until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.