CVE-2026-45230
9.1 CRITICALDumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameter...
Published: 2026-05-18 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- CWE
- CWE-22
Description
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service.
Source: NVD
QSearch commentary
Path traversal in a delete endpoint is the bug we still find more often than IDOR — it survives in shipping codebases because it does not break the happy path and unit tests do not probe it. The DumbAssets case is the recurring failure mode: a filesToDelete array parameter, unfiltered, walking the filesystem. We flag this class in every Application Security pillar engagement; the fix is the same every time and the bug ships anyway.
— QSearch Security Research · 2026-05-19
Our researchers flagged this attack class earlier
In prior coverage, QSearch researchers identified this attack class as a high-likelihood target. This CVE confirms that prediction.
Read the prior coverage →References
Engagement axis
This CVE class is addressed in the QSearch continuous-protection axis.
Learn more about this axis →Related CVEs
Same CWE
- CVE-2026-24717 — A path traversal vulnerability has been reported to affect several QNAP operating system versions
- CVE-2025-62851 — A path traversal vulnerability has been reported to affect License Center
- CVE-2026-46491 — SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module (8.6 HIGH)
- CVE-2026-44716 — Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents (7.5 HIGH)
- CVE-2026-34657 — CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Limitation of a Pathname to a Restr... (5.5 MEDIUM)