CVE-2026-48017
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk43th percentile - higher than 43% of all known CVEs
Summary
DbGate is a cross-platform database manager, in versions 7.1.8 and prior, has a vulnerability in the POST /runners/load-reader endpoint that accepts a functionName parameter interpolated without sanitization into a JavaScript code template. An authenticated user with basic access can inject arbitrary JavaScript code that executes on the server with full process privileges.
Risk Assessment
This vulnerability allows for the execution of arbitrary OS commands on the DbGate server and access to sensitive files and data, potentially leading to compromise of the host system, especially in Docker environments.
Recommendation
It is recommended to update DbGate to a version newer than 7.1.8 and implement additional security measures to restrict access to critical endpoints.
Original NVD description (English source)
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.

