Arbitrary SQL Injection in Daptin Headless CMS
CVE-2026-41422

8.3HIGH

Key Information:

Vendor: Daptin
Status: Daptin
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41422?

Daptin, a GraphQL/JSON-API headless CMS, was found to have a vulnerability in its /aggregate/:typename endpoint prior to version 0.11.4. The endpoint accepted column and group query parameters without validating them, leading to a serious security risk. Authenticated users with valid sessions could exploit this flaw to inject and execute arbitrary SQL expressions directly against the database, potentially exposing sensitive information or compromising the integrity of the application. This issue was addressed in version 0.11.4, which implemented necessary validation measures to mitigate the risk.

Affected Version(s)

daptin < 0.11.4

References

https://github.com/daptin/daptin/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/daptin/daptin/releases/tag/v0.11.4

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41422 Data

JSON