CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-48017

highCVSS 8.8covered by 1 sourcefirst seen 2026-06-05
Summary The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. Details The loadReader endpoint in packages/api/src/controllers/runners.js (line 353) takes a functionName parameter from the request body and passes it to compileShellApiFunctionName() which performs no sanitization: Vulnerable code (permalink): loadReader_meta: true, async loadReader({ functionName, props }) { if (!platformInfo.isElectron) { if (props?.fileName && !checkSecureDirectories(props.fileName)) { return { errorMessage: 'DBGM-00289 Unallowed file' }; } } const prefix = extractShellApiPlugins(functionName) .map(packageName => // @require ${packageName}\n) .join(''); const promise = new Promise((resolve, reject) => { const runid = crypto.randomUUID(); this.requests[runid] = { resolve, reject, exitOnStreamError: true }; this.startCore(runid, loaderScriptTemplate(prefix, functionName, props, runid)); }); return promise; }, The loaderScriptTemplate at line 57-68 directly interpolates the compiled function name: const loaderScriptTemplate = (prefix, functionName, props, runid) => ` ${prefix} const dbgateApi = require(process.env.DBGATE_API); dbgateApi.initializeApiEnvironment(); ${requirePluginsTemplate(extractShellApiPlugins(functionName, props))} require=null; async function run() { const reader=await ${compileShellApiFunctionName(functionName)}(${JSON.stringify(props)}); const writer=await dbgateApi.collectorWriter({runid: '${runid}'}); await dbgateApi.copyStream(reader, writer); } dbgateApi.runScript(run); `; The compileShellApiFunctionName in packages/tools/src/packageTools.ts (line 30-35) performs no validation: export function compileShellApi

⚡ Watch CVE-2026-48017

Get an email if CVE-2026-48017 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-48017

CVE.org record

Embed the live status

CVE-2026-48017 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-48017 status](https://www.csirts.com/badge/CVE-2026-48017)](https://www.csirts.com/cve/CVE-2026-48017)