CVE ID :CVE-2026-41422 Published : May 7, 2026, 1:56 p.m. | 1 hour, 9 minutes ago Description :Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...