๐Ÿ” CVE Alert

CVE-2026-54443

UNKNOWN 0.0

Dashy: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.

CWE CWE-80 CWE-84
Vendor lissy93
Product dashy
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for lissy93 dashy

Be the first to know when new unknown vulnerabilities affecting lissy93 dashy are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

lissy93 / dashy
>= 1.9.4, < 3.2.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/lissy93/dashy/security/advisories/GHSA-2x3v-qmgm-r8hv github.com: https://github.com/lissy93/dashy/releases/tag/3.2.0