CVE-2026-45231

Name of the Vulnerable Software and Affected Versions DumbAssets versions 1.0 through 1.0.11

Description A stored cross-site scripting issue exists in asset fields, specifically name, description, modelNumber, serialNumber, and tags. These fields are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can use asset API endpoints to create or update assets with HTML or JavaScript payloads, allowing the execution of arbitrary scripts in the browsers of users viewing the asset list. If the Content-Security-Policy is disabled, these injected scripts can establish unrestricted connections to internal network services.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.