Description
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with basic access to inject arbitrary JavaScript code through the functionName parameter in the POST /runners/load-reader endpoint. Because the code is directly interpolated without sanitization, it runs on the server with the full Node.js process privileges, bypassing the sandbox. This leads to remote code execution, allowing execution of OS commands, file read/write, and database credential extraction, effectively compromising the host system.

Affected Systems

All installations of DbGate version 7.1.8 and earlier are affected. The issue exists in the cross‑platform database manager, running under Node.js, and is accessible in Docker deployments where it can grant root within the container. The attacker only needs authenticated access with basic privileges, no admin role required.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability with complete confidentiality, integrity, and availability compromise. The EPSS score of less than 1% shows that exploitation risk is currently low, and the vulnerability is not listed in CISA KEV, suggesting no known large‑scale active exploitation. Nonetheless, the attacker can perform the exploit remotely via an authenticated HTTP request, so patches should be applied promptly.

Generated by OpenCVE AI on June 16, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DbGate to version 7.1.9 or later, which removes the unsafe code interpolation.
  • If an upgrade is not immediately possible, restrict network access to the /runners/load-reader endpoint or revoke basic user rights to that API, limiting the attack surface.
  • Additionally, run DbGate in a container or VM with the least privilege and consider disabling or sandboxing the ability to execute arbitrary JavaScript.
  • Monitor logs for unusual POST requests to /runners/load-reader and verify no unexpected code execution.

Generated by OpenCVE AI on June 16, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hv83-ggc4-v385 DbGate: Remote Code Execution via functionName injection in loadReader endpoint
History

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Dbgate
Dbgate dbgate
Vendors & Products Dbgate
Dbgate dbgate

Mon, 15 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.
Title DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dbgate Dbgate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T15:39:32.724Z

Reserved: 2026-05-20T17:44:09.586Z

Link: CVE-2026-48017

cve-icon Vulnrichment

Updated: 2026-06-16T15:39:23.763Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T22:16:16.937

Modified: 2026-06-16T17:16:41.083

Link: CVE-2026-48017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')