{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/daptin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Daptin"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["Daptin"],"content_html":"\u003cp\u003eDaptin versions prior to 0.11.4 are susceptible to a SQL injection vulnerability in the \u003ccode\u003e/aggregate/:typename\u003c/code\u003e endpoint. The vulnerability arises because the application fails to properly validate the \u003ccode\u003ecolumn\u003c/code\u003e and \u003ccode\u003egroup\u003c/code\u003e query parameters before passing them to \u003ccode\u003egoqu.L()\u003c/code\u003e. This function is used to build raw SQL literal expressions, thus bypassing parameterization and allowing attackers to inject arbitrary SQL code. Any authenticated user, regardless of privilege level, can exploit this vulnerability. This poses a significant risk as it enables unauthorized data extraction, disclosure of database internals, and cross-table data exfiltration. The vulnerability was reported on 2026-04-22 and assigned CVE-2026-41422.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Daptin application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/aggregate/:typename\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a SQL payload into the \u003ccode\u003ecolumn\u003c/code\u003e or \u003ccode\u003egroup\u003c/code\u003e query parameters. For example, \u003ccode\u003ecolumn=(SELECT group_concat(email) FROM user_account) as leak\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Daptin application receives the request and passes the unvalidated \u003ccode\u003ecolumn\u003c/code\u003e parameter to the \u003ccode\u003egoqu.L()\u003c/code\u003e function in \u003ccode\u003eserver/resource/resource_aggregate.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egoqu.L()\u003c/code\u003e function constructs a raw SQL query using the attacker-controlled input, bypassing any parameterization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the injected SQL query\u0026rsquo;s result from the application\u0026rsquo;s response, which contains sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the extracted data, potentially including user credentials, internal database schema details, or other confidential information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows attackers to perform unauthorized data extraction, including sensitive information like user credentials. An attacker can also disclose database internals and exfiltrate data from multiple tables, even with low-privilege access. The impact includes potential data breaches, compliance violations, and reputational damage. The vulnerability was confirmed to allow extraction of \u003ccode\u003euser_account.email\u003c/code\u003e values by a non-admin user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Daptin to version 0.11.4 or later to patch the SQL injection vulnerability (CVE-2026-41422).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Daptin Aggregate API SQL Injection\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement input validation on the \u003ccode\u003ecolumn\u003c/code\u003e and \u003ccode\u003egroup\u003c/code\u003e parameters in the \u003ccode\u003e/aggregate/:typename\u003c/code\u003e endpoint, specifically blocking SQL keywords and functions to mitigate the risk.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-daptin-sql-injection/","summary":"A SQL injection vulnerability exists in Daptin versions prior to 0.11.4 within the `/aggregate/:typename` endpoint, where the `column` and `group` query parameters are passed to `goqu.L()` without validation, allowing authenticated users to inject arbitrary SQL expressions and exfiltrate sensitive data.","title":"Daptin SQL Injection Vulnerability in Aggregate API","url":"https://feed.craftedsignal.io/briefs/2026-04-daptin-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Daptin","version":"https://jsonfeed.org/version/1.1"}