CVE-2025-15439
Unknown Unknown - Not Provided
SQL Injection in Daptin Aggregate API Enables Remote Exploitation

Publication date: 2026-01-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2026-01-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-15439
EUVD
EUVD-2026-0654
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
daptin daptin From 0.10.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-15439 is a SQL Injection vulnerability in Daptin version 0.10.3, specifically in the Aggregate API endpoint. The vulnerability occurs because user-supplied input parametersβ€”`column`, `group`, and `order`β€”are directly passed to the goqu.L() function without proper sanitization or validation. The goqu.L() function treats these inputs as raw SQL literals, bypassing query parameterization and escaping, which allows attackers to inject arbitrary SQL code. Exploitation requires authentication with a valid JWT token and administrator privileges, which can be obtained by registering as the first user on a fresh Daptin instance. Attackers can then execute arbitrary SQL queries to extract sensitive data, modify data, or cause denial of service. [1, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to extract any data from the database, including sensitive user credentials and API keys (confidentiality impact). It also allows potential modification of data (integrity impact) and can cause denial of service through resource-intensive injected queries (availability impact). Attackers with administrator privileges can exploit this remotely to compromise the system. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to exploit the SQL injection in the aggregate API endpoint (/aggregate/:typename) by sending crafted HTTP requests with malicious parameters in `column`, `group`, or `order`. For example, you can use curl commands to test injection points by including SQL expressions in these parameters. Example commands include: 1. Extract SQLite version: curl -H "Authorization: Bearer <JWT_TOKEN>" "http://<target>/aggregate/world?column=sqlite_version()%20as%20ver" 2. Extract database file path: curl -H "Authorization: Bearer <JWT_TOKEN>" "http://<target>/aggregate/world?column=(SELECT%20file%20FROM%20pragma_database_list%20LIMIT%201)%20as%20db_path" 3. Extract user emails and password hashes: curl -H "Authorization: Bearer <JWT_TOKEN>" "http://<target>/aggregate/user_account?column=email,password_hash" Note: A valid JWT token with administrator privileges is required to perform these tests. Monitoring for unusual or malformed requests to the aggregate API endpoint with suspicious `column`, `group`, or `order` parameters can also help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1. Restrict access to the aggregate API endpoint to trusted administrators only. 2. Implement strict input validation and whitelisting for the `column`, `group`, and `order` parameters to allow only predefined safe column names and aggregate functions. 3. Replace the usage of the vulnerable goqu.L() function with parameterized query methods such as goqu.C() to ensure proper escaping and prevent SQL injection. 4. Disable or block subquery syntax and other potentially dangerous SQL constructs in user inputs. 5. If possible, update or patch the Daptin software to a version where this vulnerability is fixed. 6. Monitor logs for suspicious activity related to the aggregate API endpoint. If no patch is available, consider restricting or disabling the vulnerable API functionality until a fix is applied. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows attackers to extract sensitive data such as user credentials and API keys from the database, compromising confidentiality and potentially integrity and availability of the system. Such unauthorized data access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information. Therefore, exploitation of this vulnerability could result in violations of these standards due to exposure of protected data. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart