CVE-2026-41422 - Vulnerability Details

- Daptin vulnerable to SQL injection via unvalidated goqu.L() calls in aggregate API

Description

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4.

Published: 2026-05-07

Score: 8.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in Daptin’s /aggregate/:typename endpoint, where column and group parameters are forwarded directly to the goqu.L() function, a raw SQL literal builder, without validation. An authenticated user can craft inputs that are executed as part of a SQL statement, allowing them to read, modify, or delete data stored in the database. This flaw represents a typical input validation weakness, classified as CWE‑89.

Affected Systems

The affected product is Daptin’s headless CMS (GraphQL/JSON‑API). All releases prior to 0.11.4 are vulnerable; the issue was fixed in v0.11.4. Only authenticated users can exploit the flaw, and the attack is performed through the /aggregate/:typename API endpoint.

Risk and Exploitability

The CVSS score of 8.3 indicates a high level of severity. While the EPSS score is not available, the absence of a CISA KEV listing does not reduce the likelihood of exploitation, especially since the flaw requires only a valid session. An attacker who gains access to a legitimate session or can hijack one can inject arbitrary SQL statements, potentially compromising confidentiality, integrity, and availability of the underlying database. The primary attack vector is via the exposed HTTP API, which can be accessed over the internet or internally, depending on deployment configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

daptin

affected

Version	Status	Constraints
`< 0.11.4`	affected	—

No data.

Vendor Product Confidence Versions

Daptin

100%

Version	Status	Scheme	Platform
`[0,0.11.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Daptin to version 0.11.4 or later, which contains the patch for this issue.
If an upgrade cannot be performed immediately, limit the /aggregate/:typename endpoint to trusted users or IP ranges and reject requests from untrusted sources.
Implement input validation on the column and group parameters to reject any characters or patterns that could form SQL expressions.

Generated by OpenCVE AI on May 7, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rw2c-8rfq-gwfv	Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/daptin/daptin/releases/tag/v0.11.4
https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv

History

Thu, 07 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Daptin Daptin daptin
Vendors & Products		Daptin Daptin daptin

Thu, 07 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 07 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4.
Title		Daptin vulnerable to SQL injection via unvalidated goqu.L() calls in aggregate API
Weaknesses		CWE-89
References		https://github.com/daptin/daptin/releases/tag/v0.11.4 https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Daptin Daptin

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T13:56:18.648Z

Updated: 2026-05-07T14:57:04.226Z

Reserved: 2026-04-20T15:32:33.813Z

Link: CVE-2026-41422

Vulnrichment

Updated: 2026-05-07T14:56:04.834Z

NVD

Status : Deferred

Published: 2026-05-07T15:16:06.813

Modified: 2026-05-07T15:47:46.853

Link: CVE-2026-41422

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T15:30:05Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object