CVE-2026-34725 - Vulnerability Details

- dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration

Description

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.

Published: 2026-04-02

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

DbGate, a cross‑platform database manager, contains a stored cross‑site scripting flaw in its applicationIcon feature. Attackers can supply malicious SVG icon strings that are rendered as raw HTML. In the web interface this leads to script execution within any user’s browser, while in the Electron desktop application the vulnerable renderer configuration (nodeIntegration:true and contextIsolation:false) enables those scripts to access the underlying Node.js runtime, thereby raising the impact to local code execution.

Affected Systems

DbGate versions from 7.0.0 up to, but not including, 7.1.5 are affected.

Risk and Exploitability

The vulnerability has a CVSS v3 score of 8.3, indicating high severity. EPSS data is not available and the issue is not catalogued in KEV, so the expected exploitation rate cannot be quantified from public data. The flaw can be abused through the web UI by any authenticated or unauthenticated user who can add an SVG icon, or via the desktop app by a local user who can supply a malicious icon. Because the Electron renderer has disabled isolation, the attack readily gains full access to the system the application runs on, making it a near‑certain vector once the precondition of a custom icon is met.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dbgate

affected

Version	Status	Constraints
`>= 7.0.0, < 7.1.5`	affected	—

No data.

Vendor Product Confidence Versions

Dbgate

100%

Version	Status	Scheme	Platform
`[7.0.0,7.1.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade DbGate to version 7.1.5 or later. The patch removes the insecure rendering of SVG icons.
If an upgrade is not immediately possible, remove or replace any custom SVG icons in the applicationIcon field, or use benign default icons supplied by the application.
Review the Electron configuration in the application; if possible, enable contextIsolation and restrict nodeIntegration to mitigate future similar vulnerabilities.

Generated by OpenCVE AI on April 2, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-35xm-qvjg-8m42	dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e
https://github.com/dbgate/dbgate/releases/tag/v7.1.5
https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dbgate Dbgate dbgate
Vendors & Products		Dbgate Dbgate dbgate

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.
Title		dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
Weaknesses		CWE-79 CWE-94
References		https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e https://github.com/dbgate/dbgate/releases/tag/v7.1.5 https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Dbgate Dbgate

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T18:02:35.720Z

Updated: 2026-04-03T03:55:56.991Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34725

Vulnrichment

Updated: 2026-04-02T19:12:33.702Z

NVD

Status : Deferred

Published: 2026-04-02T18:16:33.253

Modified: 2026-04-16T14:45:19.723

Link: CVE-2026-34725

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:17:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object