CVE-2026-48017: DbGate: Remote Code Execution via functionName injection in loadReader endpoint

June 5, 2026

The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction.

References

github.com/advisories/GHSA-hv83-ggc4-v385
github.com/dbgate/dbgate/releases/tag/v7.1.9
github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385
nvd.nist.gov/vuln/detail/CVE-2026-48017

Code Behaviors & Features

Detect and mitigate CVE-2026-48017 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →