EXECUTIVE SUMMARY:
CVE-2026-48017 with a CVSS score of 8.8 is a remote code execution vulnerability in the DbGate npm package (dbgate-api) affecting all versions up to and including 7.1.8. The flaw resides in the POST /runners/load-reader endpoint where the supplied functionName parameter is concatenated into a JavaScript template without any sanitisation, allowing an attacker to inject arbitrary code that runs inside the server process. An adversary who can authenticate with basic user credentials can issue a crafted request containing a malicious functionName (e.g., leveraging process.binding("spawn_sync")) that breaks out of the generated script, bypasses the intended sandbox, and spawns arbitrary child processes with the privileges of the DbGate service. This grants the attacker full command‑execution capability on the host, enabling data exfiltration, ransomware deployment, or service disruption. Exploitation requires only network access to the vulnerable API and a valid user account; no special roles or elevated permissions are needed, and the attack succeeds as long as the server runs an unpatched version and does not enforce additional permission checks on the loadReader endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48017 with a CVSS score of 8.8 is a remote code execution vulnerability in the DbGate npm package (dbgate-api) affecting all versions up to and including 7.1.8. The flaw resides in the POST /runners/load-reader endpoint where the supplied functionName parameter is concatenated into a JavaScript template without any sanitisation, allowing an attacker to inject arbitrary code that runs inside the server process. An adversary who can authenticate with basic user credentials can issue a crafted request containing a malicious functionName (e.g., leveraging process.binding("spawn_sync")) that breaks out of the generated script, bypasses the intended sandbox, and spawns arbitrary child processes with the privileges of the DbGate service. This grants the attacker full command‑execution capability on the host, enabling data exfiltration, ransomware deployment, or service disruption. Exploitation requires only network access to the vulnerable API and a valid user account; no special roles or elevated permissions are needed, and the attack succeeds as long as the server runs an unpatched version and does not enforce additional permission checks on the loadReader endpoint.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-hv83-ggc4-v385