DbGate has cross site scripting via the SVG Icon String Handler component
- Severity:
- Low
Description
A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely.
Recommendation
Update the dbgate-web package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.1.5
- Patched version(s): 7.1.5
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution - CVE-2026-42045
- Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler - CVE-2026-1721
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
You might also like:
- Tags:
- npm
- dbgate-web
Anything's wrong? Let us know Last updated on April 14, 2026


