{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-48017/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-15T20:54:18.858Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-48017","@id":"https://www.cve.org/CVERecord?id=CVE-2026-48017","description":"DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with"},"products":[{"@id":"cpe:2.3:a:dbgate:dbgate:\\<_7.1.9:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:dbgate:dbgate:\\<_7.1.9:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-15T20:54:18.858Z"}]}