Platform
nodejs
Component
dbgate-web
Fixed in
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.5
A cross-site scripting (XSS) vulnerability has been identified in DbGate, specifically within the web component up to version 7.1.4. This flaw resides in the handling of the applicationIcon argument within the FontIcon.svelte file, potentially allowing attackers to inject malicious scripts. Successful exploitation could lead to data exposure and session hijacking, impacting users of vulnerable DbGate installations. Upgrade to version 7.1.5 to resolve this issue.
The XSS vulnerability in DbGate allows an attacker to inject arbitrary JavaScript code into the web application. This code could be executed in the context of a user's browser, enabling the attacker to steal sensitive information such as database credentials, session cookies, or other personal data. Attackers could also leverage this vulnerability to redirect users to malicious websites, deface the application, or perform other actions on behalf of the user. The remote nature of the exploit means that attackers do not need to be on the same network as the vulnerable DbGate instance to exploit it. The disclosed nature of the exploit increases the likelihood of exploitation.
This vulnerability has been publicly disclosed, and a proof-of-concept exploit is likely available. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure increases the risk. It is not currently listed on CISA KEV. The vulnerability was published on 2026-04-13.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6216 is to upgrade DbGate to version 7.1.5 or later. This version contains a fix that addresses the vulnerability. If an immediate upgrade is not possible, consider implementing temporary workarounds such as input validation and output encoding on the applicationIcon parameter. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Review DbGate's configuration for any unnecessary features or permissions that could be exploited.
Update DbGate to version 7.1.5 or later to mitigate the Cross-Site Scripting (XSS) vulnerability in the SVG icon handling. This update corrects how icon arguments are processed, preventing the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6216 is a cross-site scripting (XSS) vulnerability affecting DbGate web components up to version 7.1.4, allowing attackers to inject malicious scripts.
You are affected if you are using DbGate versions prior to 7.1.5. Check your current version and upgrade immediately if vulnerable.
Upgrade DbGate to version 7.1.5 or later. This resolves the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While the CVSS score is LOW, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Monitor your systems for suspicious activity.
Refer to the DbGate official security advisory for detailed information and updates regarding CVE-2026-6216.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.