Vulnerability in EPiServer.Forms
Found the cause:
The [CatalogItemAsset] database table only supports nvarchar(50) for the asset type while our image media file has 56 characters:
The sample commerce site luckily only had 48 characters, thus, it doesn't fail.
Thank you for your finding. This indeed is a bug and we've filed a bug report for it.