Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7. | |
| Title | Dashy: XSS in workspace url parameter | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T14:30:28.126Z
Reserved: 2026-06-16T23:18:03.170Z
Link: CVE-2026-55592
Updated: 2026-07-08T14:30:18.670Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T16:00:05Z