Summary The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with…
| CVE ID | CVE-2026-48017 |
| Vendor | npm |
| Affected Product | dbgate-api |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.8 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction.loadReader endpoint in packages/api/src/controllers/runners.js (line 353) takes a functionName parameter from the request body and passes it to compileShellApiFunctionName() which performs no sanitization: Vulnerable code ([permalink](https://github.com/dbgate/dbgate/blob/ea3a61077ab09775c39890c465f0b3e97f6c812e/packages/api/src/controllers/runners.jSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.