SCA: security update for dbgate-api (GHSA-hv83-ggc4-v385)

high Tenable Self-Hosted Container Security Plugin ID 444519

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader
endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code
template without any sanitization or validation. An authenticated user (with basic access, no special
permissions required) can inject arbitrary JavaScript code that executes on the server with full process
privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no
admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate
server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to
connected databases by reading connection credentials from DbGate's storage, and compromise the host
system - in Docker deployments, this typically means root access within the container. (CVE-2026-48017)

Solution

Update the dbgate-api library and its related packages to version 7.1.9 or later.

See Also

https://github.com/advisories/GHSA-hv83-ggc4-v385

Plugin Details

Severity: High

ID: 444519

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/8/2026

Updated: 7/8/2026

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.93

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48017

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/5/2026

Vulnerability Publication Date: 6/5/2026

Reference Information

CVE: CVE-2026-48017

cwe: CWE-94