{"id":"CVE-2026-54443","summary":"Dashy: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","details":"Dashy is a self-hostable personal dashboard. From 1.9.4 until 3.2.0, the Dashy RSS Widget in src/components/Widgets/RssFeed.vue does not sanitize RSS item link values before rendering feed item titles and Read More links as anchor href attributes, allowing an attacker-controlled feed to provide a javascript: URI that executes when clicked in the Dashy origin. This issue is fixed in version 3.2.0.","aliases":["GHSA-2x3v-qmgm-r8hv"],"modified":"2026-07-17T03:47:03.439544859Z","published":"2026-07-15T18:19:31.219Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-80","CWE-84"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54443.json"},"references":[{"type":"WEB","url":"https://github.com/lissy93/dashy/releases/tag/3.2.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54443.json"},{"type":"ADVISORY","url":"https://github.com/lissy93/dashy/security/advisories/GHSA-2x3v-qmgm-r8hv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54443"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lissy93/dashy","events":[{"introduced":"1f5d3f45fcfbc03ac8c099fdc1614b9806dee803"},{"fixed":"24d741488327fb66e79d0d2468f84795d791f019"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"1.9.4"},{"fixed":"3.2.0"}]}}],"versions":["3.1.15","3.1.14","3.1.13","3.1.12","3.1.11","3.1.9","3.1.8","3.1.7","3.1.6","3.1.5","3.1.4","3.1.2","3.1.1","3.0.1","3.0.0","2.1.2","2.1.1","2.1.0","2.0.8","2.0.7","2.0.6","2.0.5","2.0.4","2.0.3","2.0.2","2.0.1","2.0.0","1.9.9","1.9.8","1.9.7","1.9.5","1.9.6","1.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54443.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}]}