CVE-2026-34725HIGH 8.2EPSS p6.4%

CVE-2026-34725CVE-2026-34725

Description

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.17% probability of exploitation · percentile 6.4% · 2026-06-19T12:03:05Z
Published2026-04-02
Last modified2026-04-16

Underlying weaknesses· 2

CWE-79CWE-94

References

  1. https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e
  2. https://github.com/dbgate/dbgate/releases/tag/v7.1.5
  3. https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-24769
CVE
CVE-2025-10437
CVE
CVE-2025-54669
CVE
CVE-2025-36247
CVE
CVE-2025-62422
CVE
CVE-2025-65267
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.