CVE-2026-48017 | DbGate is cross-platform database manager. In versions 7.1.8… | CVSS 8.8 HIGH

Description

DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.

Metadata

CVE ID: CVE-2026-48017
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-20 17:44 UTC
Published: 2026-06-15 20:54 UTC
Last updated: 2026-06-15 20:54 UTC
Primary CWE: CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product: dbgate / dbgate
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
dbgate	dbgate	—	< 7.1.9

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94: Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (2)

https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385 https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385
https://github.com/dbgate/dbgate/releases/tag/v7.1.9 https://github.com/dbgate/dbgate/releases/tag/v7.1.9