Skip to main content

PostgreSQL EUVDEUVD-2026-18472

| CVE-2026-34725 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 https://github.com/dbgate/dbgate GHSA-35xm-qvjg-8m42
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 14:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2026-18472
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
Patch released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 22:19 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false.

Details

The issue is in the icon rendering path:

  • packages/web/src/icons/FontIcon.svelte
  • treats any icon string starting with <svg as inline SVG
  • renders it with {@html iconValue} without sanitization
  • packages/api/src/controllers/apps.js
  • loads app definitions from disk and returns applicationIcon to clients unchanged
  • packages/web/src/appobj/DatabaseAppObject.svelte
  • passes applicationIcon into additionalIcons
  • packages/web/src/appobj/AppObjectCore.svelte
  • renders those icons through <FontIcon icon={ic.icon}>

This makes applicationIcon a stored XSS sink.

An attacker who can create or modify an app definition can store a payload in applicationIcon. When another user views a matching database/app entry, the payload executes in that user's session.

The impact is especially severe in Electron desktop because:

  • app/src/electron.js
  • nodeIntegration: true
  • contextIsolation: false

With that configuration, JavaScript gained through XSS can access Node/Electron APIs, making local code execution possible.

PoC

This was reproduced by creating an app definition with a malicious applicationIcon and making it match a visible database.

Example payload:

json
{
  "applicationName": "XSS PoC",
  "applicationIcon": "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"18\" height=\"18\"><circle cx=\"9\" cy=\"9\" r=\"8\" fill=\"red\"/></svg><img src=x onerror=\"alert('xss-fired')\">",
  "usageRules": [
    {
      "serverHostsList": ["postgres"],
      "databaseNamesList": ["dbgate"]
    }
  ]
}

After saving this app definition and opening the UI where the matching database/app icon is rendered, the JavaScript executes.

RCE In Electron app:

  1. Prepare an attacker-controlled application JSON file with a malicious applicationIcon value.
  2. Set usageRules so the application matches a database the victim is likely to view.
  3. Example payload:
json
{
  "applicationName": "XSS PoC",
  "applicationIcon": "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"18\" height=\"18\"><circle cx=\"9\" cy=\"9\" r=\"8\" fill=\"red\"/></svg><img src=x onerror=\"require('fs').writeFileSync(require('path').join(process.cwd(),'xss-rce-poc.txt'),'poc')\">",
  "usageRules": [
    {
      "serverHostsRegex": ".*",
      "databaseNamesRegex": ".*"
    }
  ]
}
  1. Deliver this JSON file to the victim as an application definition file.
  2. The victim imports or saves the file into DbGate's apps storage, for example by opening/creating an application file and saving the attacker-controlled JSON content.
  3. DbGate later loads that app definition through apps/get-all-apps.
  4. When the victim opens a UI view that renders the matching database/application icon, the applicationIcon value is passed into FontIcon.
  5. FontIcon detects that the string starts with <svg and renders it via raw {@html}.
  6. The injected HTML executes in the Electron renderer process.
  7. Because DbGate Desktop uses nodeIntegration: true and contextIsolation: false, the payload can access Node APIs and write the marker file xss-rce-poc.txt

This demonstrates that a malicious saved application JSON file can become stored XSS in the UI and escalate to local code execution in Electron.

Impact

Web app If an attacker can place a malicious application definition where another user will load it, arbitrary JavaScript executes in the victim's browser session. This can lead to token theft, session hijacking, and performing privileged actions as the victim inside DbGate.

Electron desktop app In the desktop app, the impact is more severe because the Electron renderer is configured with nodeIntegration: true and contextIsolation: false. If a victim imports or saves a malicious application definition and later opens a UI view that renders the icon, the XSS can access Node/Electron APIs and may result in local code execution on the victim machine.

AnalysisAI

Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl

Technical ContextAI

DbGate is an open-source database management tool distributed as both a web application (pkg:npm/dbgate-web) and Electron desktop client. The vulnerability stems from improper neutralization of input (CWE-79) in the icon rendering pipeline. The Svelte component FontIcon.svelte uses the {@html} directive to render SVG strings without DOMPurify or equivalent sanitization. Application definitions containing the applicationIcon field are loaded from disk by packages/api/src/controllers/apps.js and passed through DatabaseAppObject.svelte and AppObjectCore.svelte components before reaching FontIcon. Any string beginning with '<svg' triggers raw HTML rendering, creating a stored XSS sink. The Electron desktop app exacerbates this by configuring BrowserWindow with nodeIntegration: true and contextIsolation: false in app/src/electron.js, violating Electron security best practices. This configuration grants renderer processes direct access to Node.js require(), enabling XSS payloads to invoke fs, child_process, and other Node modules for arbitrary code execution on the host operating system.

RemediationAI

Apply the vendor-released patch immediately by upgrading to DbGate versions incorporating commit a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e or later from the official GitHub repository at github.com/dbgate/dbgate. The patch likely implements SVG sanitization in FontIcon.svelte using DOMPurify or equivalent HTML sanitization library, and may reconfigure Electron to disable nodeIntegration and enable contextIsolation per Electron security best practices. Until patching is complete, implement defense-in-depth mitigations: restrict file system permissions so only trusted administrators can place application definition JSON files in DbGate's apps storage directories, disable or carefully audit any application import features accessible to untrusted users, and for web deployments implement Content Security Policy headers to limit inline script execution. Electron desktop users should consider running DbGate in sandboxed environments or under restricted user accounts until the patch is applied. Review application definition files for unexpected SVG or HTML content in applicationIcon fields. Full technical details and proof-of-concept are documented in the GitHub Security Advisory at github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42 and patch commit github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

EUVD-2026-18472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy