Plataforma
nodejs
Componente
dbgate-web
Corrigido em
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.5
A cross-site scripting (XSS) vulnerability has been identified in DbGate, specifically within the web component up to version 7.1.4. This flaw resides in the handling of the applicationIcon argument within the FontIcon.svelte file, potentially allowing attackers to inject malicious scripts. Successful exploitation could lead to data exposure and session hijacking, impacting users of vulnerable DbGate installations. Upgrade to version 7.1.5 to resolve this issue.
The XSS vulnerability in DbGate allows an attacker to inject arbitrary JavaScript code into the web application. This code could be executed in the context of a user's browser, enabling the attacker to steal sensitive information such as database credentials, session cookies, or other personal data. Attackers could also leverage this vulnerability to redirect users to malicious websites, deface the application, or perform other actions on behalf of the user. The remote nature of the exploit means that attackers do not need to be on the same network as the vulnerable DbGate instance to exploit it. The disclosed nature of the exploit increases the likelihood of exploitation.
This vulnerability has been publicly disclosed, and a proof-of-concept exploit is likely available. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure increases the risk. It is not currently listed on CISA KEV. The vulnerability was published on 2026-04-13.
Organizations and individuals using DbGate for database management, particularly those relying on older versions (prior to 7.1.5), are at risk. Shared hosting environments where multiple users share the same DbGate instance are particularly vulnerable, as an attacker could potentially exploit the vulnerability to compromise other users' accounts.
• nodejs / server:
grep -r 'applicationIcon' ./packages/web/src/• generic web:
curl -I <dbgate_url>/packages/web/src/icons/FontIcon.svelte | grep -i 'content-type'disclosure
patch
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-6216 is to upgrade DbGate to version 7.1.5 or later. This version contains a fix that addresses the vulnerability. If an immediate upgrade is not possible, consider implementing temporary workarounds such as input validation and output encoding on the applicationIcon parameter. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Review DbGate's configuration for any unnecessary features or permissions that could be exploited.
Actualice DbGate a la versión 7.1.5 o posterior para mitigar la vulnerabilidad de Cross-Site Scripting (XSS) en el manejo de iconos SVG. Esta actualización corrige la forma en que se procesan los argumentos de iconos, previniendo la inyección de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-6216 is a cross-site scripting (XSS) vulnerability affecting DbGate web components up to version 7.1.4, allowing attackers to inject malicious scripts.
You are affected if you are using DbGate versions prior to 7.1.5. Check your current version and upgrade immediately if vulnerable.
Upgrade DbGate to version 7.1.5 or later. This resolves the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While the CVSS score is LOW, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Monitor your systems for suspicious activity.
Refer to the DbGate official security advisory for detailed information and updates regarding CVE-2026-6216.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.