SQL Injection in Daptin

CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu…

Vulnerability class: SQL Injection

EPSS: 0.000 (4.5th percentile) — read the EPSS interpretation.

Affected products

Daptin — versions < 0.11.5

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r (x_refsource_CONFIRM)
https://github.com/daptin/daptin/releases/tag/v0.11.5 (x_refsource_MISC)