dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
- Severity:
- High
Description
A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization.
Recommendation
Update the dbgate-web package to the latest compatible version. Followings are version details:
- Affected version(s): >= 7.0.0, < 7.1.5
- Patched version(s): 7.1.5
References
Related Issues
- Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS - CVE-2026-35569
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
- @payloadcms/next has Stored XSS in Admin Panel - CVE-2026-34748
You might also like:
- Tags:
- npm
- dbgate-web
Anything's wrong? Let us know Last updated on April 06, 2026


