Skip to main content

Dashy

4 CVEs product

Monthly

CVE-2026-54443 MEDIUM PATCH This Month

Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.

XSS Dashy
NVD GitHub
CVSS 4.0
5.9
CVE-2026-46485 HIGH PATCH This Week

Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Dashy
NVD GitHub
CVSS 3.1
8.2
CVE-2026-55592 LOW POC PATCH Monitor

Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. Successful exploitation enables reading same-origin browser data, DOM manipulation, and issuing authenticated requests on behalf of the victim. No public exploit identified at time of analysis.

XSS Dashy
NVD GitHub VulDB
CVSS 3.1
3.9
EPSS
0.3%
CVE-2023-5916 MEDIUM POC This Month

A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Dashy
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVSS 5.9
MEDIUM PATCH This Month

Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.

XSS Dashy
NVD GitHub
CVSS 8.2
HIGH PATCH This Week

Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Dashy
NVD GitHub
EPSS 0% CVSS 3.9
LOW POC PATCH Monitor

Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. Successful exploitation enables reading same-origin browser data, DOM manipulation, and issuing authenticated requests on behalf of the victim. No public exploit identified at time of analysis.

XSS Dashy
NVD GitHub VulDB
EPSS 1% CVSS 4.3
MEDIUM POC This Month

A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Dashy
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy