SQL Injection Vulnerability in Daptin Headless CMS
CVE-2026-44349

7.1HIGH

Key Information:

Vendor: Daptin
Status: Daptin
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-44349?

The Daptin headless CMS prior to version 0.11.5 is susceptible to an SQL injection vulnerability. The issue arises in the processFuzzySearch function, which improperly handles user-supplied input. Specifically, it allows authenticated users— including those who have self-registered— to query the database without adequate restrictions. By exploiting this vulnerability through the GET /api/ endpoint with the operator=fuzzy, attackers can read sensitive information from the entire database due to the lack of effective column whitelisting. This vulnerability has been addressed in version 0.11.5.

Affected Version(s)

daptin < 0.11.5

References

https://github.com/daptin/daptin/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/daptin/daptin/releases/tag/v0.11.5

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44349 Data

JSON