Low severity3.5NVD Advisory· Published Apr 13, 2026· Updated Apr 29, 2026

CVE-2026-6216

Description

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DbGate up to 7.1.4 contains a stored XSS in the SVG Icon String Handler via the applicationIcon parameter, enabling remote script injection.

Vulnerability

Overview

CVE-2026-6216 describes a cross-site scripting (XSS) vulnerability in DbGate, a cross-platform database manager, affecting versions up to 7.1.4. The flaw resides in the FontIcon.svelte component within the SVG Icon String Handler. Manipulation of the applicationIcon argument allows an attacker to inject arbitrary JavaScript code, which is then executed in the context of the application [1][3].

Exploitation

The attack can be launched remotely, and the exploit has been publicly disclosed, increasing the risk of active exploitation. No authentication is explicitly required, suggesting that any user who can supply or influence the applicationIcon parameter (e.g., through a crafted SVG icon) could trigger the XSS. The vulnerability is classified as low severity with a CVSS v3 base score of 3.5, reflecting the need for user interaction or specific conditions [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser session within DbGate's web interface. This could lead to data theft, session hijacking, or unauthorized actions on behalf of the user, depending on the application's permissions and the attacker's objectives.

Mitigation

The DbGate project has addressed the issue in version 7.1.5. Users are strongly advised to upgrade to this latest release to eliminate the vulnerability [4]. No workarounds have been documented, making the upgrade the only reliable mitigation.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dbgate-webnpm	< 7.1.5	7.1.5

Affected products

Dbgate/Dbgatereferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=7.1.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-j8j5-7r4h-vj2gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-6216ghsaADVISORY
github.com/dbgate/dbgate/releases/tag/v7.1.5nvdWEB
vuldb.com/submit/785841nvdWEB
vuldb.com/vuln/357135nvdWEB
vuldb.com/vuln/357135/ctinvdWEB

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6216

Source code

Credits

N(
ngocnn97 (VulDB User)
reporter