CVE-2026-48017
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48017
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dbgate dbgate 7.1.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in DbGate, a cross-platform database manager, in versions 7.1.8 and earlier. The issue is in the POST /runners/load-reader endpoint, which accepts a parameter called functionName. This parameter is directly inserted into a JavaScript code template without any sanitization or validation.

Because of this, an authenticated user with basic access (no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges. This bypasses the intended sandbox restrictions.

Impact Analysis

An attacker with basic authenticated access can exploit this vulnerability to execute arbitrary operating system commands on the DbGate server with the privileges of the Node.js process.

  • Execute arbitrary OS commands on the server.
  • Read and write any files accessible to the Node.js process.
  • Access and pivot to connected databases by reading stored connection credentials.
  • Compromise the host system, including gaining root access within Docker containers.
Compliance Impact

The vulnerability allows an authenticated user with basic access to execute arbitrary OS commands, read and write any files accessible to the process, and access database connection credentials. This can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

Such unauthorized access and potential data breaches can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, strict access controls, and prevention of unauthorized data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart