CVE-2026-54443
Dashy: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.
| CWE | CWE-80 CWE-84 |
| Vendor | lissy93 |
| Product | dashy |
| Published | Jul 15, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for lissy93 dashy
Be the first to know when new unknown vulnerabilities affecting lissy93 dashy are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
lissy93 / dashy
>= 1.9.4, < 3.2.0