Primary

Context

DumbAssets Stored Cross-Site Scripting Vulnerability in Asset Fields

Vulnerability

A stored cross-site scripting vulnerability has been identified in DumbAssets versions through 1.0.11. This issue resides in asset fields such as name, description, modelNumber, serialNumber, and tags, which are saved without proper server-side sanitization. The data is then rendered using innerHTML without client-side escaping. As a result, attackers can inject HTML or JavaScript payloads through the asset API endpoints, executing arbitrary scripts in the browsers of users who view the asset list. Furthermore, with Content-Security-Policy disabled, these injected scripts can make unrestricted connections to internal network services.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the asset list.

Remediation

Users are advised to update to the latest version of DumbAssets, where this vulnerability has been addressed.

Added: May 18, 2026, 7:22 PM

Updated: May 18, 2026, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.9

exploitability

5.0

remediation

0.0

relevance

8.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.9

exploitability

5.0

remediation

0.0

relevance

8.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DumbAssets Stored Cross-Site Scripting Vulnerability in Asset Fields

Vulnerability

Impact

Remediation

Affected Products

DumbWareio DumbAssets

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating