Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
CVE-2026-45230: DumbAssets through 1.0.11 allows unauthenticated deletion of files
CVE-2026-45230
Summary
An attacker can delete any file on the server without needing a password, which could cause the server to stop working. This is a concern because it could allow an attacker to delete important files that are necessary for the server to function. To protect against this, update DumbAssets to version 1.0.12 or later.
Original title
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary ...
Original description
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
nvd CVSS3.1
9.1
nvd CVSS4.0
8.8
Vulnerability type
CWE-22
Path Traversal
Published: 18 May 2026 · Updated: 28 May 2026 · First seen: 18 May 2026