CVE-2026-34725
🟡 Monitoruj
Wykonanie złośliwego skryptu w DbGate umożliwia atak XSS, co prowadzi do lokalnego wykonania kodu.
CVSS
8.2
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.2 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-02 18:16:33 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-16 14:45:19 UTC |
Referencje
- https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e (security-advisories@github.com)
- https://github.com/dbgate/dbgate/releases/tag/v7.1.5 (security-advisories@github.com)
- https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42 (security-advisories@github.com)