2 matches found
CVE-2026-55592 Dashy: XSS in workspace url parameter
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy...
CVE-2026-55592
Dashy prior to version 4.3.7 is affected by an XSS related to the workspace URL parameter in the iframe src, where the URL is used without scheme validation. A crafted workspace link with a javascript: URL can execute code in the Dashy origin, allowing access to same-origin data, interaction with...