Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Articles & Coverage 1
AnalysisAI
SQL injection in dotCMS Core (versions 25.11.04-1 through 26.04.28-02) lets remote unauthenticated attackers read, modify, or destroy arbitrary database content through the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, which neither enforced authentication nor sanitized input before constructing SQL. The flaw carries a maximum CVSS 4.0 base score of 10.0, reflecting full confidentiality, integrity, and availability impact extending to subsequent systems. No public exploit was identified at time of analysis and EPSS is low (0.38%, 60th percentile), but the network-reachable, no-privilege, no-interaction profile makes this an urgent patch for affected (non-LTS) deployments.
Technical ContextAI
dotCMS Core is an open-source, Java-based enterprise content management system; the affected component is its push-publishing 'Publish Audit' REST resource (AuditPublishingResource) backed by PublishAuditAPIImpl. The root cause is CWE-89 (SQL Injection): the getAll code path built an IN-clause by wrapping each supplied bundle ID in single quotes and string-formatting it directly into the SELECT_ALL_BY_BUNDLES_IDS statement via DotConnect, with no parameterization, so attacker-controlled identifiers were interpreted as SQL. The vendor PR (#35553) confirms the fix replaces concatenation with bound parameters ('?' placeholders plus dc.addParam) and adds push-publish authentication (processAuthHeader / getFailResponse) to both the get and getAll endpoints. The single affected product per CPE is cpe:2.3:a:dotcms:dotcms_core:*.
RemediationAI
Upgrade to dotCMS Core 26.04.28-03, which adds parameterized queries and requires an authenticated backend user holding the publishing-queue portlet permission to call these endpoints (Vendor-released patch: 26.04.28-03); see the advisory at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 and the patch at https://github.com/dotCMS/core/pull/35553. If immediate patching is not possible, restrict or block external access to the /api/auditPublishing/get and /api/auditPublishing/getAll paths at the reverse proxy or WAF and allow them only from trusted push-publish sender endpoints - note this will break push-publishing/audit synchronization between dotCMS environments that legitimately call these endpoints, so allowlist known sender IPs rather than blocking outright where push publishing is in use. LTS deployments require no action as they are not affected.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32131
GHSA-jpx3-25r2-jq5g