EXECUTIVE SUMMARY:
CVE-2026-41422 with a CVSS score of 8.3 is a remote SQL injection vulnerability affecting the go/github.com/daptin/daptin package, specifically versions prior to 0.11.4. The vulnerability occurs due to unvalidated goqu.L calls in the /aggregate/:typename endpoint, which accepts column and group query parameters without any validation, allowing an attacker to inject arbitrary SQL expressions. An authenticated low-privilege user can exploit this vulnerability by passing malicious input to the column parameter, enabling them to extract data from any table, disclose database internals, and exfiltrate cross-table data via correlated subqueries. This could result in sensitive data exposure and potentially lead to unauthorized access to critical system information. The attacker requires valid session credentials to exploit this vulnerability, and the attack vector involves manipulating user-controlled input parameters to inject malicious SQL code.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41422 with a CVSS score of 8.3 is a remote SQL injection vulnerability affecting the go/github.com/daptin/daptin package, specifically versions prior to 0.11.4. The vulnerability occurs due to unvalidated goqu.L calls in the /aggregate/:typename endpoint, which accepts column and group query parameters without any validation, allowing an attacker to inject arbitrary SQL expressions. An authenticated low-privilege user can exploit this vulnerability by passing malicious input to the column parameter, enabling them to extract data from any table, disclose database internals, and exfiltrate cross-table data via correlated subqueries. This could result in sensitive data exposure and potentially lead to unauthorized access to critical system information. The attacker requires valid session credentials to exploit this vulnerability, and the attack vector involves manipulating user-controlled input parameters to inject malicious SQL code.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rw2c-8rfq-gwfv