CVE-2026-55592 in dashy
Summary
by MITRE • 07/08/2026
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability exists within Dashy's workspace view functionality where the application fails to properly validate URL schemes before assigning user-provided input to an iframe source attribute. The flaw represents a classic cross-site scripting vulnerability that allows attackers to manipulate the application's behavior through maliciously crafted URLs. When a logged-in user visits a specially constructed workspace link containing a javascript: URL, the application blindly trusts and executes this content within the same-origin context of the Dashy application.
The technical exploitation occurs because Dashy does not perform proper scheme validation on the url query parameter, allowing arbitrary protocols including javascript: to be directly assigned to iframe sources. This creates an environment where attacker-controlled JavaScript code executes with the privileges and permissions of the logged-in user. The vulnerability is particularly dangerous because it leverages the trust relationship between the application and its authenticated users, enabling attackers to perform actions that would normally require legitimate user credentials or session tokens.
The operational impact of this vulnerability extends beyond simple script execution as the malicious JavaScript gains access to same-origin browser data through the document object model. This includes potential access to session cookies, local storage contents, and other sensitive information stored within the browser context. Additionally, the compromised iframe can make authenticated requests to the Dashy application on behalf of the victim user, potentially allowing for account takeover or unauthorized modifications to the dashboard configuration.
Security professionals should note that this vulnerability aligns with CWE-79 Cross-site Scripting and CWE-20 Improper Input Validation categories within the CWE taxonomy. The attack pattern follows typical exploitation techniques described in MITRE ATT&CK framework under TA0001 Initial Access and TA0003 Persistence phases, where attackers establish footholds through user interaction with maliciously crafted links. Organizations using Dashy versions prior to 4.3.7 should immediately implement mitigations including input validation of URL parameters, scheme filtering for iframe sources, and user education about the risks of clicking untrusted links. The fix implemented in version 4.3.7 demonstrates proper security controls by enforcing scheme validation on URL inputs before assignment to potentially dangerous HTML attributes.