JavaScript Injection Vulnerability in Dashy Dashboard by Lissy93
CVE-2026-55592

3.9LOW

Key Information:

Vendor

Lissy93

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-55592?

The vulnerability in Dashy, a self-hostable personal dashboard, arises from the improper handling of URL query parameters. Before version 4.3.7, Dashy's workspace view directly assigned the URL query parameter to an iframe's source without validating its scheme. This flaw allows attackers to craft workspace links containing malicious JavaScript URLs. When a logged-in user accesses such links, the injected JavaScript executes within the Dashy application's origin. This can enable the attacker to read sensitive same-origin browser data, manipulate the Dashy document object model (DOM), and make unauthorized requests as the victim.

Affected Version(s)

dashy < 4.3.7

References

CVSS V3.1

Score:
3.9
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.