A browser‑based XSS vulnerability exists in the SVG Icon String Handler of the DbGate web client. Attackers can supply a crafted value for the argument applicationIcon, which is then embedded directly into an SVG element without proper sanitization. This flaw permits arbitrary scripts to run in the context of an authenticated or unauthenticated user navigating the affected interface, potentially leading to session hijacking, data theft, or further manipulation of the target web page. The vulnerability falls under CWE‑79 (XSS) and also connects to CWE‑94 (Code Injection) because the injected payload may involve execution of unexpected code.

DbGate versions up to 7.1.4 are vulnerable. The flaw resides in the web component packaged in the source file packages/web/src/icons/FontIcon.svelte. Any environment hosting these versions of DbGate, including private deployments, is susceptible until an update is installed.

The published CVSS score of 5.1 indicates a moderate risk level. While no EPSS score is available, the vulnerability has been disclosed publicly and can be triggered from a remote location without any local privileges. Because the flaw is an XSS, it typically requires a victim to visit the affected page or for the attacker to coerce one, but once achieved, the impact can be significant. The vulnerability is not listed in the CISA KEV catalog, and no automated exploit tools were reported at the time of disclosure. Nonetheless, the availability of a public exploit and the remote nature mean that organizations should treat this as a high‑priority issue.