Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: dashy-ui

Found 1 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-55592
3.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    8 packages
    • typstPackages.dashy-todo_0_0_2
    • typstPackages.dashy-todo_0_0_1
    • typstPackages.dashy-todo_0_0_3
    • typstPackages.dashy-todo_0_1_0
    • typstPackages.dashy-todo_0_1_1
    • typstPackages.dashy-todo_0_1_2
    • typstPackages.dashy-todo_0_1_3
    • typstPackages.dashy-todo
  • @LeSuisse ignored reference https://g…
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Dashy: XSS in workspace url parameter

Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source without scheme validation. If a logged-in user opens a crafted workspace link containing a javascript: URL, JavaScript runs on the Dashy origin and can read same-origin browser data, interact with the Dashy DOM, and send requests as the victim. This issue is fixed in version 4.3.7.

Affected products

dashy
  • ==< 4.3.7

Matching in nixpkgs

pkgs.dashy-ui

Open source, highly customizable, easy-to-use, privacy-respecting dashboard app

Ignored packages (8)

Package maintainers