Summary The "/aggregate/:typename" endpoint accepted "column" and "group" query parameters that were passed verbatim to "goqu.L()" — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. Impact An authenticated low-privilege user could: - Extract data from any table via subquery: "(SELECT group_concat(email) FROM user_account) as leak" - Disclose database internals: "sqlite_version()", "(SELECT sql FROM sqlite_master)" - Exfiltrate cross-table data via correlated subqueries The vulnerability was confirmed locally; "user_account.email" values were extracted via a crafted "column" parameter by a non-admin user. Root Cause "goqu.L(userInput)" in "server/resource/resource_aggregate.go" inserted user-supplied query parameters directly into the SQL string with no validation. Fix (v0.11.4) All "goqu.L()" calls on user-controlled input were eliminated and replaced with: - Structural expression parsing supporting all documented API forms - Schema-based column validation (column names checked against entity schema via "TableInfo().GetColumnByName()") - Exact-match allowlist for aggregate functions ("count", "sum", "avg", "min", "max", "first", "last") and scalar functions ("date", "strftime", "upper", "lower", etc.) - Safe goqu constructors ("goqu.I()", "goqu.SUM()", "goqu.Func()") for all generated expressions - "allowedTables" scope enforcement: qualified column refs ("table.col") validated against root entity + explicitly joined tables only Two additional DoS bugs were fixed in the same commit: "uuid.MustParse" panic on malformed UUID input and an index-out-of-range panic in "ToOrderedExpressionArray" on empty sort expressions. Credits Reported by @VashuVats.