VYPR

Daptin

by Daptin

Source repositories

CVEs (3)

  • CVE-2026-41422HigMay 7, 2026
    risk 0.47cvss 8.3epss 0.00

    Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all…

  • CVE-2025-15439MedJan 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be…

  • CVE-2026-44349HigMay 7, 2026
    risk 0.39cvss epss 0.00

    Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?",…