Search
Find a vulnerability
Search criteria
4 vulnerabilities found for dashy by lissy93
CVE-2026-55592 (GCVE-0-2026-55592)
Vulnerability from nvd – Published: 2026-07-07 20:48 – Updated: 2026-07-08 14:30
VLAI
EPSS
VEX
Title
Dashy: XSS in workspace url parameter
Summary
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lissy93/dashy/security/advisor… | x_refsource_CONFIRM |
| https://github.com/lissy93/dashy/commit/4bc620e21… | x_refsource_MISC |
| https://github.com/lissy93/dashy/releases/tag/4.3.7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55592",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T14:30:25.302873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:30:28.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/lissy93/dashy/security/advisories/GHSA-58mp-4qr3-vmrc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dashy",
"vendor": "lissy93",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy\u0027s workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T20:48:28.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lissy93/dashy/security/advisories/GHSA-58mp-4qr3-vmrc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lissy93/dashy/security/advisories/GHSA-58mp-4qr3-vmrc"
},
{
"name": "https://github.com/lissy93/dashy/commit/4bc620e21cc8e3466f32b8bc40614b0d0eb5648b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lissy93/dashy/commit/4bc620e21cc8e3466f32b8bc40614b0d0eb5648b"
},
{
"name": "https://github.com/lissy93/dashy/releases/tag/4.3.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lissy93/dashy/releases/tag/4.3.7"
}
],
"source": {
"advisory": "GHSA-58mp-4qr3-vmrc",
"discovery": "UNKNOWN"
},
"title": "Dashy: XSS in workspace url parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55592",
"datePublished": "2026-07-07T20:48:28.648Z",
"dateReserved": "2026-06-16T23:18:03.170Z",
"dateUpdated": "2026-07-08T14:30:28.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5916 (GCVE-0-2023-5916)
Vulnerability from nvd – Published: 2023-11-02 10:31 – Updated: 2025-02-27 20:36
VLAI
EPSS
VEX
Title
Lissy93 Dashy Configuration save access control
Summary
A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability.
Severity
4.3 (Medium)
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Controls
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.244305 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.244305 | signaturepermissions-required |
| https://github.com/Lissy93/dashy/issues/1336 | issue-tracking |
| https://treasure-blarney-085.notion.site/Dashy-0d… | exploit |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:24.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.244305"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.244305"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/Lissy93/dashy/issues/1336"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://treasure-blarney-085.notion.site/Dashy-0dca8a0ebbd84f78ae6d03528ff1538c?pvs=4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T20:31:57.257083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:36:06.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Configuration Handler"
],
"product": "Dashy",
"vendor": "Lissy93",
"versions": [
{
"status": "affected",
"version": "2.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "zgbsm (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Lissy93 Dashy 2.1.1 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /config-manager/save der Komponente Configuration Handler. Mittels Manipulieren des Arguments config mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-02T10:31:06.228Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.244305"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.244305"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Lissy93/dashy/issues/1336"
},
{
"tags": [
"exploit"
],
"url": "https://treasure-blarney-085.notion.site/Dashy-0dca8a0ebbd84f78ae6d03528ff1538c?pvs=4"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-11-02T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-11-02T06:45:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Lissy93 Dashy Configuration save access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-5916",
"datePublished": "2023-11-02T10:31:06.228Z",
"dateReserved": "2023-11-02T05:39:07.124Z",
"dateUpdated": "2025-02-27T20:36:06.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-55592 (GCVE-0-2026-55592)
Vulnerability from cvelistv5 – Published: 2026-07-07 20:48 – Updated: 2026-07-08 14:30
VLAI
EPSS
VEX
Title
Dashy: XSS in workspace url parameter
Summary
Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lissy93/dashy/security/advisor… | x_refsource_CONFIRM |
| https://github.com/lissy93/dashy/commit/4bc620e21… | x_refsource_MISC |
| https://github.com/lissy93/dashy/releases/tag/4.3.7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55592",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T14:30:25.302873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:30:28.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/lissy93/dashy/security/advisories/GHSA-58mp-4qr3-vmrc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dashy",
"vendor": "lissy93",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy\u0027s workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T20:48:28.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lissy93/dashy/security/advisories/GHSA-58mp-4qr3-vmrc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lissy93/dashy/security/advisories/GHSA-58mp-4qr3-vmrc"
},
{
"name": "https://github.com/lissy93/dashy/commit/4bc620e21cc8e3466f32b8bc40614b0d0eb5648b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lissy93/dashy/commit/4bc620e21cc8e3466f32b8bc40614b0d0eb5648b"
},
{
"name": "https://github.com/lissy93/dashy/releases/tag/4.3.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lissy93/dashy/releases/tag/4.3.7"
}
],
"source": {
"advisory": "GHSA-58mp-4qr3-vmrc",
"discovery": "UNKNOWN"
},
"title": "Dashy: XSS in workspace url parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55592",
"datePublished": "2026-07-07T20:48:28.648Z",
"dateReserved": "2026-06-16T23:18:03.170Z",
"dateUpdated": "2026-07-08T14:30:28.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5916 (GCVE-0-2023-5916)
Vulnerability from cvelistv5 – Published: 2023-11-02 10:31 – Updated: 2025-02-27 20:36
VLAI
EPSS
VEX
Title
Lissy93 Dashy Configuration save access control
Summary
A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability.
Severity
4.3 (Medium)
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Controls
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.244305 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.244305 | signaturepermissions-required |
| https://github.com/Lissy93/dashy/issues/1336 | issue-tracking |
| https://treasure-blarney-085.notion.site/Dashy-0d… | exploit |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:24.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.244305"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.244305"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/Lissy93/dashy/issues/1336"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://treasure-blarney-085.notion.site/Dashy-0dca8a0ebbd84f78ae6d03528ff1538c?pvs=4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T20:31:57.257083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:36:06.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Configuration Handler"
],
"product": "Dashy",
"vendor": "Lissy93",
"versions": [
{
"status": "affected",
"version": "2.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "zgbsm (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Lissy93 Dashy 2.1.1 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /config-manager/save der Komponente Configuration Handler. Mittels Manipulieren des Arguments config mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-02T10:31:06.228Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.244305"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.244305"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Lissy93/dashy/issues/1336"
},
{
"tags": [
"exploit"
],
"url": "https://treasure-blarney-085.notion.site/Dashy-0dca8a0ebbd84f78ae6d03528ff1538c?pvs=4"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-11-02T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-11-02T06:45:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Lissy93 Dashy Configuration save access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-5916",
"datePublished": "2023-11-02T10:31:06.228Z",
"dateReserved": "2023-11-02T05:39:07.124Z",
"dateUpdated": "2025-02-27T20:36:06.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}