CVE-2026-4983

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...

CVE-2026-4983

CVE-2026-4983 affects the Open VSX Registry where SVG icons uploaded as extensions are not sanitized before storage and are served as image/svg+xml without security headers. This enables stored cross-site scripting (XSS) when users navigate to the icon URL. The impact differs by deployment: on lo...

GHSA-J8J5-7R4H-VJ2G DbGate has cross site scripting via the SVG Icon String Handler component

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launch...

DbGate has cross site scripting via the SVG Icon String Handler component

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launch...

CVE-2026-6216 DbGate SVG Icon String FontIcon.svelte cross site scripting

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launch...

CVE-2026-6216

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launch...

CVE-2026-6216

DbGate (up to version 7.1.4) contains a cross-site scripting vulnerability in the SVG Icon String Handler, specifically in the file packages/web/src/icons/FontIcon.svelte. The vulnerability arises from manipulation of the argument applicationIcon within the FontIcon component, allowing an attacke...

DbGate 代码注入漏洞

DbGate is an open-source database manager developed by DbGate. Versions of DbGate 7.1.4 and earlier contained a code injection vulnerability. This vulnerability stemmed from the operation of the applicationIcon parameter in the SVG Icon String Handler component, which allowed for cross-site...

PT-2026-32518

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launch...

CVE-2026-34725

DbGate (multi-platform: web and Electron desktop) contains a stored XSS in the icon rendering path impacting versions 7.0.0–7.1.5. Attacker-controlled SVG icons stored as applicationIcon are rendered without sanitization, enabling script execution in another user’s browser (web UI) and, in Electr...

CVE-2025-46335 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload

Mobile Security Framework MobSF is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting XSS vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of...

Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload

Vulnerable MobSF Versions: .svg This file becomes publicly accessible via the web interface at: http://127.0.0.1:8081/download/filename.svg If the SVG contains embedded JavaScript e.g., an XSS payload, accessing this URL via a browser leads to the execution of the script in the context of the Mob...

Malicious code in @tinkoff-react-bui/svg-icon (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cf558b9a116b62aab931fcf875349acb6eb5f4171abaeac53c3fcdc8069f83b4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-661 Malicious code in @tinkoff-react-bui/svg-icon (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cf558b9a116b62aab931fcf875349acb6eb5f4171abaeac53c3fcdc8069f83b4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Fedora 31 : seamonkey (2020-fd5918d946)

Additional fixes for AV1 codec and svg icon. ---- Update to 2.53.5 AV1 media codec now supported. Some fixes and improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically...

Fedora 32 : seamonkey (2020-396a3dfb1f)

Additional fixes for AV1 codec and svg icon. ---- Update to 2.53.5 AV1 media codec now supported. Some fixes and improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically...