Back to overview

CVE-2026-46485

HIGH
8.2
CVSS 3.1
Description
Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.

Metadata

CVE ID
CVE-2026-46485
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-14 18:06 UTC
Published
2026-07-15 18:08 UTC
Last updated
2026-07-15 18:08 UTC
Primary CWE
CWE-15
CWE-15: External Control of System or Configuration Setting
Vendor / Product
lissy93 / dashy
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Affected products (1)
VendorProductPlatformVersions
lissy93 dashy < 4.0.8
Weakness (CWE)
CWESourceDescription
CWE-15 cna CWE-15: External Control of System or Configuration Setting
CWE-284 cna CWE-284: Improper Access Control
CWE-287 cna CWE-287: Improper Authentication
CWE-602 cna CWE-602: Client-Side Enforcement of Server-Side Security
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
References (2)
Back to overview