JavaScript Injection Vulnerability in Dashy Dashboard by Lissy93
CVE-2026-55592
3.9LOW
What is CVE-2026-55592?
The vulnerability in Dashy, a self-hostable personal dashboard, arises from the improper handling of URL query parameters. Before version 4.3.7, Dashy's workspace view directly assigned the URL query parameter to an iframe's source without validating its scheme. This flaw allows attackers to craft workspace links containing malicious JavaScript URLs. When a logged-in user accesses such links, the injected JavaScript executes within the Dashy application's origin. This can enable the attacker to read sensitive same-origin browser data, manipulate the Dashy document object model (DOM), and make unauthorized requests as the victim.
Affected Version(s)
dashy < 4.3.7
