CVE-2026-41422
HIGHDaptin vulnerable to SQL injection via unvalidated goqu.L() calls in aggregate API
Title source: cnaDescription
Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv
X_Refsource_Misc x_refsource_misc
https://github.com/daptin/daptin/releases/tag/v0.11.4
Scores
CVSS v3
8.3
EPSS
0.0034
EPSS Percentile
26.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
daptin/daptin
0 - 0.11.4Go
daptin/daptin
< 0.11.4
Published
May 07, 2026
Tracked Since
May 07, 2026