CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349 Daptin fuzzy search injects unvalidated column name into raw SQL

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349 Daptin fuzzy search injects unvalidated column name into raw SQL

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349

Daptin CVE-2026-44349: The fuzzy search path on /api/ accepts a user-supplied column list and interpolates it into raw SQL without a column whitelist, enabling an authenticated user to read the entire database on vulnerable versions. Affected component: processFuzzySearch in server/resource/resou...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the processFuzzySearch function. An attacker can access and extract the entire database contents by supplying crafted input to the column parameter in the HTTP API, which is directly interpolated into raw SQL statement...

Daptin fuzzy search injects unvalidated column name into raw SQL

Summary processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no column whitelist check. The entry point is GET /api/ with...

GHSA-PWQG-Q8PG-PP6R Daptin fuzzy search injects unvalidated column name into raw SQL

Summary processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no column whitelist check. The entry point is GET /api/ with...

EUVD-2010-3719

Malware in sbrugna...

DVFS: a Dynamic Verifiable Fuzzy Search Service for Encrypted Cloud Data

Cloud storage introduces critical privacy challenges for encrypted data retrieval, where fuzzy multi-keyword search enables approximate matching while preserving data confidentiality. Existing solutions face fundamental trade-offs between security and efficiency: linear-search mechanisms provide...

Malicious code in acts-as_fuzzy_search (RubyGems)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-6492 Malicious code in acts-as_fuzzy_search (RubyGems)

--- -= Per source details. Do not edit below this line.=-...

SQL Injection

org.apache.streampark, streampark is vulnerable to SQL Injection. The vulnerability is due to not sanitizing user input used inside a name-based fuzzy search e.g: job names, role names in some of the pages of the application. An attacker can use illegal parameters for the search leading to SQL...

CVE-2023-30867

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters,...

CVE-2023-30867

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters,...

CVE-2023-30867

CVE-2023-30867 (Apache StreamPark) : The vulnerability arises in the StreamPark platform’s name-based fuzzy search (e.g., jobName or roleName) where input used in a LIKE '%…%' clause is not validated, enabling SQL injection. Multiple sources (NVD, Red Hat, CNVD, Veracode, OSV, GHSA, CVE list) con...

CVE-2010-3740

The Net Search Extender NSE implementation in the Text Search component in IBM DB2 UDB 9.5 before FP6a does not properly handle an alphanumeric Fuzzy search, which allows remote authenticated users to cause a denial of service memory consumption and system hang via the db2ext.textSearch function...

CVE-2010-3740

The Net Search Extender NSE implementation in the Text Search component in IBM DB2 UDB 9.5 before FP6a does not properly handle an alphanumeric Fuzzy search, which allows remote authenticated users to cause a denial of service memory consumption and system hang via the db2ext.textSearch function...

CVE-2010-3740

IBM DB2 UDB 9.5 before FP6a: The Net Search Extender (NSE) Text Search component mishandles an alphanumeric Fuzzy search, allowing remote authenticated users to cause memory consumption and a potential system hang via db2ext.textSearch. The issue is addressed in Fix Pack 6a (FP6a). If exploiting ...