Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lissy93
Lissy93 dashy |
|
| Vendors & Products |
Lissy93
Lissy93 dashy |
Wed, 15 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0. | |
| Title | Dashy: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | |
| Weaknesses | CWE-80 CWE-84 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T19:17:57.724Z
Reserved: 2026-06-15T15:30:40.317Z
Link: CVE-2026-54443
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:00:06Z