PatchSiren cyber security CVE debrief
CVE-2026-48017 dbgate CVE debrief
CVE-2026-48017 is a high-severity vulnerability in DbGate, a cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. This allows an authenticated user with basic access (no admin role, no run-shell-script permission required) to inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. The potential impact includes: executing arbitrary OS commands on the DbGate server with the privileges of the Node.js process, reading/writing any file accessible to the process, pivoting to connected databases by reading connection credentials from DbGate's storage, and compromising the host system. In Docker deployments, this typically means root access within the container. The CVSS score for this vulnerability is 8.8, indicating a high severity.
- Vendor
- dbgate
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-17
Who should care
Users of DbGate versions 7.1.8 and prior should apply the patch or upgrade to a fixed version.
Technical summary
The vulnerability exists in the POST /runners/load-reader endpoint of DbGate. The functionName parameter is not properly sanitized, allowing for JavaScript injection.
Defensive priority
High
Recommended defensive actions
- Apply the patch or upgrade to a fixed version of DbGate.
- Restrict access to the POST /runners/load-reader endpoint.
- Monitor for suspicious activity on the DbGate server.
Evidence notes
CVE-2026-48017 was published on 2026-06-15T22:16:16.937Z and has a CVSS score of 8.8.
Official resources
CVE-2026-48017 was published on 2026-06-15T22:16:16.937Z.