CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-hv83-ggc4-v385: DbGate: Remote Code Execution via functionName injection in loadReader endpoint

highCVSS 8.8CVE-2026-48017
Summary The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. Details The loadReader endpoint in packages/api/src/controllers/runners.js (line 353) takes a functionName parameter from the request body and passes it to compileShellApiFunctionName() which performs no sanitization: Vulnerable code (permalink): loadReader_meta: true, async loadReader({ functionName, props }) { if (!platformInfo.isElectron) { if (props?.fileName && !checkSecureDirectories(props.fileName)) { return { errorMessage: 'DBGM-00289 Unallowed file' }; } } const prefix = extractShellApiPlugins(functionName) .map(packageName => // @require ${packageName}\n) .join(''); const promise = new Promise((resolve, reject) => { const runid = crypto.randomUUID(); this.requests[runid] = { resolve, reject, exitOnStreamError: true }; this.startCore(runid, loaderScriptTemplate(prefix, functionName, props, runid)); }); return promise; }, The loaderScriptTemplate at line 57-68 directly interpolates the compiled function name: const loaderScriptTemplate = (prefix, functionName, props, runid) => ` ${prefix} const dbgateApi = require(process.env.DBGATE_API); dbgateApi.initializeApiEnvironment(); ${requirePluginsTemplate(extractShellApiPlugins(functionName, props))} require=null; async function run() { const reader=await ${compileShellApiFunctionName(functionName)}(${JSON.stringify(props)}); const writer=await dbgateApi.collectorWriter({runid: '${runid}'}); await dbgateApi.copyStream(reader, writer); } dbgateApi.runScript(run); `; The compileShellApiFunctionName in packages/tools/src/packageTools.ts (line 30-35) performs no validation: export function compileShellApi

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.8
Published
2026-06-05
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-hv83-ggc4-v385

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-48017coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories