{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dbgate-serve--7.1.8/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dbgate-serve (\u003c= 7.1.8)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-47668","rce","dbgate"],"_cs_type":"advisory","_cs_vendors":["DbGate"],"content_html":"\u003cp\u003eA public exploit has been released for CVE-2026-47668, a critical remote code execution vulnerability in DbGate\u0026rsquo;s JSON Script Runner. DbGate versions 7.1.8 and earlier are vulnerable. The vulnerability arises from the concatenation of user-controlled fields like \u003ccode\u003efunctionName\u003c/code\u003e and \u003ccode\u003evariableName\u003c/code\u003e into dynamically generated JavaScript without proper validation. This allows attackers to inject arbitrary code into the Node.js child process that runs runner scripts. In deployments with anonymous or default authentication, an attacker can obtain a Bearer token via \u003ccode\u003ePOST /auth/login\u003c/code\u003e and then exploit the vulnerability via \u003ccode\u003ePOST /runners/start\u003c/code\u003e without valid credentials. Successful exploitation leads to full server compromise at the privilege level of the DbGate process. Defenders should upgrade to DbGate 7.1.9+ immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable DbGate instance running a version 7.1.8 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/auth/login\u003c/code\u003e with a default \u003ccode\u003eamoid\u003c/code\u003e value to obtain a Bearer token.\u003c/li\u003e\n\u003cli\u003eThe server returns a Bearer token to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/runners/start\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request contains a JSON payload with injected code in the \u003ccode\u003efunctionName\u003c/code\u003e or \u003ccode\u003evariableName\u003c/code\u003e fields within the \u003ccode\u003eassign\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe server concatenates the attacker-controlled input into dynamically generated JavaScript.\u003c/li\u003e\n\u003cli\u003eThe server executes the injected code within a Node.js child process, allowing the attacker to execute arbitrary OS commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server with the privileges of the DbGate process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-47668 can lead to arbitrary OS command execution, potentially enabling credential and file access, malware deployment, lateral movement, and denial of service. The business impact includes data theft, host takeover, ransomware deployment, credential compromise, and service disruption. Since no victim counts are given, assume all users of vulnerable versions are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to DbGate version 7.1.9 or later immediately to patch CVE-2026-47668.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/auth/login\u003c/code\u003e followed by \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/runners/start\u003c/code\u003e with unusual JSON payloads as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect exploitation attempts targeting CVE-2026-47668.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T15:05:59Z","date_published":"2026-05-26T15:05:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-47668-dbgate-rce/","summary":"CVE-2026-47668 is a critical remote code execution vulnerability affecting DbGate versions 7.1.8 and earlier in the JSON Script Runner component where user-controlled fields are concatenated into dynamically generated JavaScript without adequate validation, allowing arbitrary code execution, and an attacker may obtain a Bearer token and reach the vulnerable endpoint without valid credentials leading to full server compromise; upgrade to DbGate 7.1.9+ immediately to remediate the vulnerability.","title":"DbGate Unauthenticated Remote Code Execution via JSON Script Runner (CVE-2026-47668)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-47668-dbgate-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Dbgate-Serve (\u003c= 7.1.8)","version":"https://jsonfeed.org/version/1.1"}