PT-2026-56249 · Lissy93 · Dashy

Ixsly

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-55592

CVSS v3.1

3.9

Low

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55592

Affected Products

Dashy