PT-2026-60260 · Lissy93 · Dashy
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-54443
CVSS v4.0
5.9
Medium
| Vector | AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Dashy