CVE-2026-45231 is a stored cross-site scripting vulnerability affecting DumbWareio's DumbAssets product through version 1.0.11. The vulnerability arises because asset fields such as name, description, modelNumber, serialNumber, and tags are stored without server-side sanitization and rendered directly using innerHTML without escaping on the client side. This allows attackers to create or update assets via the asset API endpoints with malicious HTML or JavaScript payloads. When users view the asset list, these scripts execute in their browsers. If Content-Security-Policy is disabled, the scripts can also make unrestricted connections to internal network services. The vulnerability has a CVSS 4.0 score of 5.3, indicating medium severity. No patch or official remediation is currently documented.

Successful exploitation allows attackers to execute arbitrary scripts in the browsers of users viewing the affected asset fields. This can lead to theft of user credentials, session tokens, or other sensitive information accessible via the browser. Additionally, if Content-Security-Policy is disabled, the injected scripts can make unrestricted network connections to internal services, potentially increasing the attack surface. The vulnerability requires user interaction (viewing the asset list) and does not require privileges or authentication to exploit via the asset API endpoints.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider enabling strict Content-Security-Policy headers to restrict script execution and network connections. Additionally, avoid disabling client-side security controls and monitor asset input fields for suspicious content. Implementing server-side input sanitization and escaping output before rendering are recommended once a patch is available.