CVE-2026-48017
Deferred Deferred - Pending Action

DbGate Remote Code Execution via JavaScript Injection

Vulnerability report for CVE-2026-48017, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description

DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dbgate dbgate 7.1.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in DbGate, a cross-platform database manager, in versions 7.1.8 and earlier. The issue is in the POST /runners/load-reader endpoint, which accepts a parameter called functionName. This parameter is directly inserted into a JavaScript code template without any sanitization or validation.

Because of this, an authenticated user with basic access (no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges. This bypasses the intended sandbox restrictions.

Impact Analysis

An attacker with basic authenticated access can exploit this vulnerability to execute arbitrary operating system commands on the DbGate server with the privileges of the Node.js process.

  • Execute arbitrary OS commands on the server.
  • Read and write any files accessible to the Node.js process.
  • Access and pivot to connected databases by reading stored connection credentials.
  • Compromise the host system, including gaining root access within Docker containers.
Compliance Impact

The vulnerability allows an authenticated user with basic access to execute arbitrary OS commands, read and write any files accessible to the process, and access database connection credentials. This can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

Such unauthorized access and potential data breaches can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, strict access controls, and prevention of unauthorized data disclosure.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /runners/load-reader endpoint on the DbGate server.

Specifically, look for POST requests containing the functionName parameter with unusual or unexpected JavaScript code injections.

A possible detection method is to capture and analyze HTTP traffic to identify such crafted requests.

Example commands to detect suspicious activity might include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to /runners/load-reader.

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/runners/load-reader'
  • Use web server logs to search for POST requests to /runners/load-reader with suspicious functionName parameters, e.g., grep 'POST /runners/load-reader' /var/log/nginx/access.log | grep functionName

Additionally, monitoring for unexpected child process executions or unusual file access on the DbGate server may help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade DbGate to version 7.1.9 or later, where validation for function and file names has been added and security improvements have been implemented.

Until the upgrade can be applied, restrict access to the DbGate server to trusted users only, as the vulnerability requires authentication but no special permissions.

Consider monitoring and blocking suspicious POST requests to the /runners/load-reader endpoint to prevent exploitation.

Review and tighten network and application-level access controls to limit exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart