Insecure Default Initialization of Resource Affecting dbgate-api package, versions <7.1.9


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.34% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-DBGATEAPI-17817037
  • published4 Jul 2026
  • disclosed5 Jun 2026
  • creditUnknown

Introduced: 5 Jun 2026

CVE-2026-47668  (opens in a new tab)
CWE-1188  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade dbgate-api to version 7.1.9 or higher.

Overview

dbgate-api is an Allows run DbGate data-manipulation scripts.

Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the functionName parameter in JSON script assign commands, which is interpolated directly into dynamically generated JavaScript code and executed in a forked Node.js child process. An attacker can execute arbitrary code on the server by supplying crafted input that injects malicious JavaScript. This is only exploitable if authentication is not explicitly enabled, as the default deployment allows unauthenticated access.

CVSS Base Scores

version 4.0
version 3.1