CVE-2026-6216 — DbGate has cross site scripting via the SVG Icon String Handler component

Description

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.

How to fix CVE-2026-6216

To remediate CVE-2026-6216, upgrade the affected package to a fixed version below.

—upgrade to 7.1.5 or later

Is CVE-2026-6216 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6216
PATCHgithub.com/dbgate/dbgate
WEBgithub.com/dbgate/dbgate/releases/tag/v7.1.5
WEBvuldb.com/submit/785841
WEBvuldb.com/vuln/357135