{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6216", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-13T13:18:23.612Z", "datePublished": "2026-04-13T20:15:13.778Z", "dateUpdated": "2026-04-14T15:41:52.694Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T20:15:13.778Z"}, "title": "DbGate SVG Icon String FontIcon.svelte cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "n/a", "product": "DbGate", "versions": [{"version": "7.1.0", "status": "affected"}, {"version": "7.1.1", "status": "affected"}, {"version": "7.1.2", "status": "affected"}, {"version": "7.1.3", "status": "affected"}, {"version": "7.1.4", "status": "affected"}, {"version": "7.1.5", "status": "unaffected"}], "modules": ["SVG Icon String Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-13T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-13T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-13T15:23:39.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ngocnn97 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/357135", "name": "VDB-357135 | DbGate SVG Icon String FontIcon.svelte cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357135/cti", "name": "VDB-357135 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785841", "name": "Submit #785841 | DbGate DbGate Premium 7.1.4 Remote code execution via Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5", "tags": ["patch"]}, {"url": "https://github.com/dbgate/dbgate/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:41:38.524680Z", "id": "CVE-2026-6216", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:41:52.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6216", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:41:38.524680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:41:47.109Z"}}], "cna": {"title": "DbGate SVG Icon String FontIcon.svelte cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "ngocnn97 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["SVG Icon String Handler"], "product": "DbGate", "versions": [{"status": "affected", "version": "7.1.0"}, {"status": "affected", "version": "7.1.1"}, {"status": "affected", "version": "7.1.2"}, {"status": "affected", "version": "7.1.3"}, {"status": "affected", "version": "7.1.4"}, {"status": "unaffected", "version": "7.1.5"}]}], "timeline": [{"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-13T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-13T15:23:39.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/357135", "name": "VDB-357135 | DbGate SVG Icon String FontIcon.svelte cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357135/cti", "name": "VDB-357135 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785841", "name": "Submit #785841 | DbGate DbGate Premium 7.1.4 Remote code execution via Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5", "tags": ["patch"]}, {"url": "https://github.com/dbgate/dbgate/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T20:15:13.778Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6216", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:41:52.694Z", "dateReserved": "2026-04-13T13:18:23.612Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-13T20:15:13.778Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component."}], "id": "CVE-2026-6216", "lastModified": "2026-04-13T21:16:32.003", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:32.003", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/dbgate/dbgate/"}, {"source": "cna@vuldb.com", "url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785841"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357135"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357135/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.1.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.1.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.1.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.1.5"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "DbGate", "source": "cna", "vendor": "n/a"}, "product": "dbgate", "vendor": "dbgate"}], "analysis": {"en": {"generated_at": "2026-04-13T21:34:33.296262+00:00", "value": {"mitigation_remediation": ["Upgrade DbGate to version 7.1.5 or later", "If upgrade is not immediately possible, restrict or disable the UI component that utilizes FontIcon.svelte", "Apply strict input sanitization to the applicationIcon parameter before it is embedded in the SVG output", "Enforce a strong Content Security Policy to limit execution of injected scripts"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS) enabling remote script execution in users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "DbGate versions up to 7.1.4 are vulnerable. The flaw resides in the web component packaged in the source file packages/web/src/icons/FontIcon.svelte. Any environment hosting these versions of DbGate, including private deployments, is susceptible until an update is installed.", "description_and_impact": "A browser\u2011based XSS vulnerability exists in the SVG Icon String Handler of the DbGate web client. Attackers can supply a crafted value for the argument applicationIcon, which is then embedded directly into an SVG element without proper sanitization. This flaw permits arbitrary scripts to run in the context of an authenticated or unauthenticated user navigating the affected interface, potentially leading to session hijacking, data theft, or further manipulation of the target web page. The vulnerability falls under CWE\u201179 (XSS) and also connects to CWE\u201194 (Code Injection) because the injected payload may involve execution of unexpected code.", "risk_and_exploitability": "The published CVSS score of 5.1 indicates a moderate risk level. While no EPSS score is available, the vulnerability has been disclosed publicly and can be triggered from a remote location without any local privileges. Because the flaw is an XSS, it typically requires a victim to visit the affected page or for the attacker to coerce one, but once achieved, the impact can be significant. The vulnerability is not listed in the CISA KEV catalog, and no automated exploit tools were reported at the time of disclosure. Nonetheless, the availability of a public exploit and the remote nature mean that organizations should treat this as a high\u2011priority issue."}}}}, "created": "2026-04-14T16:18:17.299466+00:00", "updated": "2026-04-14T16:33:24.563292+00:00", "vendors": ["dbgate", "dbgate$PRODUCT$dbgate"]}