PT-2026-56249 · Lissy93 · Dashy
Ixsly
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-55592
CVSS v3.1
3.9
Low
| Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dashy