{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45230/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-45230"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DumbAssets"],"_cs_severities":["critical"],"_cs_tags":["path traversal","denial of service","cve-2026-45230"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eDumbAssets through version 1.0.11 is susceptible to a path traversal vulnerability identified as CVE-2026-45230. This flaw resides in the \u003ccode\u003ePOST /api/delete-file\u003c/code\u003e endpoint, specifically within the \u003ccode\u003efilesToDelete\u003c/code\u003e array parameters. Exploitation requires no authentication by default, allowing remote attackers to delete arbitrary files on the system. By injecting \u003ccode\u003e../\u003c/code\u003e sequences, attackers can bypass directory boundary restrictions and traverse outside the intended application directory. The lack of proper input validation enables the deletion of critical files, such as \u003ccode\u003eserver.js\u003c/code\u003e or \u003ccode\u003epackage.json\u003c/code\u003e, leading to a complete denial of service (DoS) condition for the affected application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/delete-file\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the \u003ccode\u003efilesToDelete\u003c/code\u003e array within the request body to include filenames containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application receives the \u003ccode\u003ePOST\u003c/code\u003e request and processes the \u003ccode\u003efilesToDelete\u003c/code\u003e array without proper validation or sanitization of the provided filenames.\u003c/li\u003e\n\u003cli\u003eThe application attempts to resolve the file path based on the attacker-supplied input, leading to directory traversal outside of the intended application directory.\u003c/li\u003e\n\u003cli\u003eThe application proceeds to delete the files specified in the \u003ccode\u003efilesToDelete\u003c/code\u003e array based on the manipulated file paths.\u003c/li\u003e\n\u003cli\u003eThe attacker targets critical application files such as \u003ccode\u003eserver.js\u003c/code\u003e or \u003ccode\u003epackage.json\u003c/code\u003e using the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe targeted critical files are successfully deleted by the application.\u003c/li\u003e\n\u003cli\u003eThe application experiences a denial of service due to the absence of essential files required for its operation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to delete arbitrary files on the system. This can lead to the deletion of critical application files like \u003ccode\u003eserver.js\u003c/code\u003e or \u003ccode\u003epackage.json\u003c/code\u003e, resulting in a complete denial of service. Given the high CVSS score of 9.1, this vulnerability represents a significant risk. The absence of authentication by default makes exploitation straightforward, increasing the likelihood of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect malicious \u003ccode\u003ePOST\u003c/code\u003e requests containing path traversal sequences targeting the \u003ccode\u003e/api/delete-file\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/api/delete-file\u003c/code\u003e with filename parameters containing \u003ccode\u003e../\u003c/code\u003e sequences.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003efilesToDelete\u003c/code\u003e parameter in the \u003ccode\u003e/api/delete-file\u003c/code\u003e endpoint to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eEnforce authentication on the \u003ccode\u003e/api/delete-file\u003c/code\u003e endpoint to restrict access to authorized users only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T18:19:06Z","date_published":"2026-05-18T18:19:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dumbassets-path-traversal/","summary":"DumbAssets version 1.0.11 is vulnerable to a path traversal vulnerability in the POST /api/delete-file endpoint, allowing unauthenticated attackers to delete arbitrary files, including critical files like server.js or package.json, resulting in denial of service.","title":"DumbAssets Path Traversal Vulnerability (CVE-2026-45230)","url":"https://feed.craftedsignal.io/briefs/2026-05-dumbassets-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45230","version":"https://jsonfeed.org/version/1.1"}