CVE-2026-54443 in Dashyinfo

Summary

by MITRE • 07/15/2026

Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability exists within the Dashy personal dashboard application where the RSS widget component fails to properly sanitize user-provided link values from RSS feeds before rendering them as href attributes in anchor tags. This represents a classic cross-site scripting vulnerability that allows remote attackers to inject malicious javascript: URIs into feed item links, which then execute when users click on the Read More links within the dashboard interface. The affected component is located at src/components/Widgets/RssFeed.vue and affects versions from 1.9.4 through 3.2.0, creating a significant security risk for all users who rely on RSS feeds within their personal dashboards.

The technical flaw stems from inadequate input validation and output sanitization practices within the widget's rendering logic. When RSS feeds are fetched and displayed, the application directly incorporates link values from external sources without proper sanitization of potentially malicious URI schemes such as javascript:, data:, or vbscript:. This vulnerability specifically targets the href attribute assignment process where feed item titles and Read More links are constructed, allowing attackers to craft malicious RSS feeds that contain javascript: URIs in their link fields. The vulnerability manifests when users click on these crafted links within the Dashy application context, resulting in arbitrary code execution in the victim's browser with the privileges of the logged-in user.

The operational impact of this vulnerability is substantial as it enables attackers to execute arbitrary JavaScript code within the context of the Dashy application, potentially leading to session hijacking, data exfiltration, or further exploitation of the compromised user environment. Since Dashy is designed for personal use and often runs in trusted environments, users may not expect security boundaries around externally sourced content like RSS feeds, making this attack vector particularly dangerous. The vulnerability affects any user who has configured RSS feeds within their dashboard, potentially compromising all personal data accessible through the application interface. This issue falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses cross-site scripting vulnerabilities where user-provided input is not properly sanitized before being rendered in web pages.

Mitigation strategies should focus on implementing comprehensive input sanitization and output encoding for all external content before rendering. The fix implemented in version 3.2.0 likely includes proper URI validation that rejects or encodes potentially dangerous schemes such as javascript: and data:. Organizations using Dashy should immediately upgrade to version 3.2.0 or later to address this vulnerability. Additionally, administrators should consider implementing Content Security Policy headers that restrict the execution of inline scripts and limit the sources from which external content can be loaded. The ATT&CK framework categorizes this vulnerability under T1566 - Phishing, specifically targeting the initial access phase where adversaries use malicious links in feeds or emails to deliver payloads. Regular security assessments should include testing for similar vulnerabilities in other dashboard components that incorporate external data sources, as this represents a common pattern in web application development where user-provided content is not adequately sanitized before execution contexts are created.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!