CVE-2026-48017

HIGH 8.8

DbGate: Remote Code Execution via functionName injection in loadReader endpoint

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.

CWE	CWE-94
Vendor	dbgate
Product	dbgate
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for dbgate dbgate

Be the first to know when new high vulnerabilities affecting dbgate dbgate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

dbgate / dbgate

< 7.1.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385 github.com: https://github.com/dbgate/dbgate/releases/tag/v7.1.9