CVE-2026-45231— DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields
Possible ATT&CK Techniques 3AI
T1530 · Data from Cloud Storage T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DumbWareio | DumbAssets | ≤ 1.0.11 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45231
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields
Source: NVD (National Vulnerability Database)
Vulnerability Description
DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
DumbAssets 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
DumbAssets是DumbWare开源的一款物理资产追踪管理工具。 DumbAssets 1.0.11及之前版本存在跨站脚本漏洞,该漏洞源于资产字段中存储型跨站脚本问题,可能导致攻击者通过资产API端点创建或更新带有HTML或JavaScript有效载荷的资产,在查看资产列表的用户浏览器中执行任意脚本。当内容安全策略禁用时,注入脚本可以不受限制地连接到内部网络服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| DumbWareio | DumbAssets | 0 ~ 1.0.11 | - |
II. Public POCs for CVE-2026-45231
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45231
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45231 (1)
Vendor Advisories for CVE-2026-45231 (1)
IV. Related Vulnerabilities
Same vendor: DumbWareio
Same weakness: CWE-79
- CVE-2026-45348
pyLoad: Stored XSS in Downloads view via unsanitized link UR - CVE-2026-45323
MeshCore Card: XSS vulnerability through meshcore node name - CVE-2026-47762
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mc - CVE-2026-47761
TinyMCE Cross-Site Scripting (XSS) vulnerability using media - CVE-2026-47759
TinyMCE Cross-Site Scripting (XSS) vulnerability using throu
V. Comments for CVE-2026-45231
No comments yet