Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by daptin
CVE-2026-44349 (GCVE-0-2026-44349)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:57 – Updated: 2026-05-07 13:57
VLAI?
Title
Daptin fuzzy search injects unvalidated column name into raw SQL
Summary
Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user — including one who self-registered with no admin involvement — can read the entire database. This issue has been patched in version 0.11.5.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "daptin",
"vendor": "daptin",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf(\"LOWER(%s) LIKE ?\", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/\u003centity\u003e with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user \u2014 including one who self-registered with no admin involvement \u2014 can read the entire database. This issue has been patched in version 0.11.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:57:10.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r"
},
{
"name": "https://github.com/daptin/daptin/releases/tag/v0.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/daptin/daptin/releases/tag/v0.11.5"
}
],
"source": {
"advisory": "GHSA-pwqg-q8pg-pp6r",
"discovery": "UNKNOWN"
},
"title": "Daptin fuzzy search injects unvalidated column name into raw SQL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44349",
"datePublished": "2026-05-07T13:57:10.113Z",
"dateReserved": "2026-05-05T19:52:59.148Z",
"dateUpdated": "2026-05-07T13:57:10.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41422 (GCVE-0-2026-41422)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:56 – Updated: 2026-05-07 14:57
VLAI?
Title
Daptin vulnerable to SQL injection via unvalidated goqu.L() calls in aggregate API
Summary
Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:55:58.874491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:04.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "daptin",
"vendor": "daptin",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() \u2014 a raw SQL literal expression builder \u2014 without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:56:18.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv"
},
{
"name": "https://github.com/daptin/daptin/releases/tag/v0.11.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/daptin/daptin/releases/tag/v0.11.4"
}
],
"source": {
"advisory": "GHSA-rw2c-8rfq-gwfv",
"discovery": "UNKNOWN"
},
"title": "Daptin vulnerable to SQL injection via unvalidated goqu.L() calls in aggregate API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41422",
"datePublished": "2026-05-07T13:56:18.648Z",
"dateReserved": "2026-04-20T15:32:33.813Z",
"dateUpdated": "2026-05-07T14:57:04.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}