CVE-2026-45230

CRITICAL 9.1

DumbAssets 1.0.11 Path Traversal File Deletion via /api/delete-file

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.

CWE	CWE-22
Vendor	dumbwareio
Product	dumbassets
Published	May 18, 2026
Last Updated	May 18, 2026

Stay Ahead of the Next One

Get instant alerts for dumbwareio dumbassets

Be the first to know when new critical vulnerabilities affecting dumbwareio dumbassets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

DumbWareio / DumbAssets

0 ≤ 1.0.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/DumbWareio/DumbAssets/pull/136 vulncheck.com: https://www.vulncheck.com/advisories/dumbassets-path-traversal-file-deletion-via-api-delete-file

Credits

YoyoChaud