7 matches found
CVE-2026-48017
Summary (CVE-2026-48017) DbGate
CVE-2026-48017 DbGate: Remote Code Execution via functionName injection in loadReader endpoint
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user with basic access, ...
Exploit for CVE-2026-48017
CVE-2026-48017 ā Remote Code Execution in DbGate via function...
GHSA-HV83-GGC4-V385 DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Summary The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user with basic access, no special permissions required can inject arbitrary JavaScript...
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Summary The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user with basic access, no special permissions required can inject arbitrary JavaScript...
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
Summary DbGate's JSON script runner POST /runners/start allows remote code execution via code injection in the functionName parameter of JSON script assign commands. The functionName value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The...
PT-2026-47062
šØ Multiple Critical Vulnerabilities Disclosed in DbGate Several severe vulnerabilities in DbGate can allow attackers to achieve remote code execution: ā¢ CVE-2026-47668 - Unauthenticated RCE via JSON Script Runner dbgate-serve ā¢ CVE-2026-47669 - Zip Slip arbitrary file write leading to RCE ā¢...