Daptin Headless CMS SQLi Puts Data at High Risk

The National Vulnerability Database (NVD) reports a critical SQL injection vulnerability, CVE-2026-41422, in Daptin, a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint allowed authenticated users to inject arbitrary SQL expressions. This was possible because the column and group query parameters were passed directly to goqu.L(), a raw SQL literal expression builder, without any validation or sanitization. This effectively bypassed all parameterization, enabling a high-impact data compromise.

With a CVSS score of 8.3 (HIGH), this flaw (CWE-89) presents a serious risk. Any authenticated user with a valid session could exploit this to achieve high confidentiality and integrity impacts, along with a moderate availability impact. This isn’t just about data exposure; it’s about full control over the underlying database, allowing attackers to read, modify, or even delete sensitive information.

Defenders using Daptin must prioritize patching. This isn’t a theoretical risk; it’s a direct path to database compromise. Attackers are constantly scanning for unpatched, internet-facing applications with known SQLi vectors. A headless CMS, by its nature, often handles critical content and data, making it a prime target for data exfiltration and integrity attacks.