CVE-2026-34725

Name of the Vulnerable Software and Affected Versions DbGate versions 7.0.0 through 7.1.5

Description DbGate, a cross-platform database manager, contains a stored cross-site scripting (XSS) issue due to attacker-controlled SVG icon strings being rendered as raw HTML without proper sanitization. In the web UI, this allows script execution within another user's browser. In the Electron desktop application, this can lead to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. The issue resides in the icon rendering path, specifically within the FontIcon.svelte, apps.js, DatabaseAppObject.svelte, and AppObjectCore.svelte components. An attacker can exploit this by creating or modifying an application definition to include a malicious applicationIcon. When another user views a matching database or application entry, the malicious code executes. The impact is more severe in the Electron desktop app due to the configuration allowing access to Node/Electron APIs.

Recommendations DbGate versions 7.0.0 through 7.1.5 should be updated to version 7.1.5 or later.