GHSA-j8j5-7r4h-vj2g

Source

https://github.com/advisories/GHSA-j8j5-7r4h-vj2g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-j8j5-7r4h-vj2g/GHSA-j8j5-7r4h-vj2g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j8j5-7r4h-vj2g

Aliases

CVE-2026-6216

Published

2026-04-13T21:30:45Z

Modified

2026-04-14T23:49:35.924375Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

DbGate has cross site scripting via the SVG Icon String Handler component

Details

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.

Database specific

{
    "nvd_published_at": "2026-04-13T21:16:32Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:37:05Z",
    "severity": "LOW"
}

References

Affected packages

npm / dbgate-web

Package

Name: dbgate-web; View open source insights on deps.dev
Purl: pkg:npm/dbgate-web

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.1.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-j8j5-7r4h-vj2g/GHSA-j8j5-7r4h-vj2g.json"