CVE-2026-34725

High

Published: 02 April 2026

Published

02 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0003 7.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34725 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Directly addresses the core issue by filtering outputs of attacker-controlled SVG icon strings before rendering as raw HTML to prevent stored XSS.

SI-10 Information Input Validation partial match

prevent

Validates and sanitizes user inputs such as SVG icons at entry points to block malicious payloads from being stored.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation by patching to version 7.1.5, which implements the necessary sanitization for the XSS flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Stored XSS enables JavaScript execution in browser (T1059.007); insecure Electron config (nodeIntegration:true, contextIsolation:false) directly facilitates arbitrary local code execution via client-side exploit (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in…

another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.

Deeper analysisAI

CVE-2026-34725 is a stored cross-site scripting (XSS) vulnerability in DbGate, a cross-platform database manager. The flaw affects versions 7.0.0 through 7.1.4, where attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. Published on 2026-04-02, it is linked to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

An attacker with local access and low privileges can exploit this vulnerability if a user interacts with the malicious content. In DbGate's web UI, it enables script execution within another user's browser. In the Electron desktop application, the insecure configuration (nodeIntegration: true and contextIsolation: false) allows escalation to arbitrary local code execution.

The issue is patched in DbGate version 7.1.5. Mitigation involves updating to this version or later. Key references include the patching commit at https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e, release notes at https://github.com/dbgate/dbgate/releases/tag/v7.1.5, and the GitHub security advisory at https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42.