Platform
nodejs
Component
dbgate-web
Fixed in
7.0.1
7.1.5
CVE-2026-34725 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in DbGate, a database management tool. This vulnerability allows attackers to inject malicious SVG icon strings that are rendered as raw HTML without proper sanitization. Exploitation can lead to script execution within the context of another user's browser session in the web UI, or potentially escalate to local code execution within the Electron desktop application due to its configuration. The vulnerability affects versions prior to 7.1.5.
The primary impact of CVE-2026-34725 is the potential for unauthorized script execution. In the web UI, an attacker could inject malicious JavaScript code that executes in the context of another user's session, allowing them to steal credentials, modify data, or perform other actions as that user. The Electron desktop application presents a more severe risk. Because Electron is configured with nodeIntegration: true and contextIsolation: false, successful exploitation could lead to arbitrary code execution on the user's machine. This could allow an attacker to install malware, steal sensitive data, or gain complete control of the system. The vulnerability's stored nature means that the malicious SVG icon could persist, affecting multiple users over time.
CVE-2026-34725 was publicly disclosed on 2026-04-01. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, combined with the potential for local code execution in the Electron app, suggests a medium probability of exploitation if a suitable exploit is developed and disseminated.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34725 is to upgrade to DbGate version 7.1.5 or later, which includes a fix for the vulnerable icon rendering logic. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious SVG content. Specifically, look for SVG content that begins with <svg and contains potentially malicious attributes or scripts. Additionally, review and restrict user permissions within DbGate to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to inject a simple SVG payload (e.g., <svg onload=alert(1)>) and verifying that it is properly sanitized and does not execute.
Update DbGate to version 7.1.5 or higher. This version fixes the stored XSS vulnerability in the applicationIcon configuration, which could allow remote code execution in the Electron application. The update mitigates the risk of an attacker exploiting this vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34725 is a stored XSS vulnerability in DbGate versions before 7.1.5, allowing attackers to inject malicious SVG icons leading to script execution or local code execution in the Electron app.
You are affected if you are using DbGate versions prior to 7.1.5 and are exposed to untrusted SVG icon strings.
Upgrade to DbGate version 7.1.5 or later. As a temporary workaround, implement a WAF rule to block suspicious SVG content.
There are currently no known public exploits or active campaigns targeting CVE-2026-34725, but the potential for exploitation exists.
Refer to the official DbGate security advisory for CVE-2026-34725 on the DbGate website or GitHub repository.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.