CVE-2026-41422

Name of the Vulnerable Software and Affected Versions Daptin versions prior to 0.11.4

Description The '/aggregate/:typename' endpoint accepts column and group query parameters that are passed without validation to goqu.L(), a raw SQL literal expression builder. This bypasses parameterization, allowing authenticated users with any valid session to inject arbitrary SQL expressions. This can lead to the extraction of data from any table via subqueries, disclosure of database internals, and exfiltration of cross-table data via correlated subqueries.

Recommendations Update to version 0.11.4.