CVE-2026-55592 in dashy
Zusammenfassung
von MITRE • 08.07.2026
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.