Skip to main content

dotCMS Core CVE-2026-8054

| EUVDEUVD-2026-32131 CRITICAL
SQL Injection (CWE-89)
2026-05-27 dotCMS GHSA-jpx3-25r2-jq5g
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 20:20 vuln.today
Analysis Generated
May 27, 2026 - 20:20 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

AnalysisAI

SQL injection in dotCMS Core (versions 25.11.04-1 through 26.04.28-02) lets remote unauthenticated attackers read, modify, or destroy arbitrary database content through the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, which neither enforced authentication nor sanitized input before constructing SQL. The flaw carries a maximum CVSS 4.0 base score of 10.0, reflecting full confidentiality, integrity, and availability impact extending to subsequent systems. No public exploit was identified at time of analysis and EPSS is low (0.38%, 60th percentile), but the network-reachable, no-privilege, no-interaction profile makes this an urgent patch for affected (non-LTS) deployments.

Technical ContextAI

dotCMS Core is an open-source, Java-based enterprise content management system; the affected component is its push-publishing 'Publish Audit' REST resource (AuditPublishingResource) backed by PublishAuditAPIImpl. The root cause is CWE-89 (SQL Injection): the getAll code path built an IN-clause by wrapping each supplied bundle ID in single quotes and string-formatting it directly into the SELECT_ALL_BY_BUNDLES_IDS statement via DotConnect, with no parameterization, so attacker-controlled identifiers were interpreted as SQL. The vendor PR (#35553) confirms the fix replaces concatenation with bound parameters ('?' placeholders plus dc.addParam) and adds push-publish authentication (processAuthHeader / getFailResponse) to both the get and getAll endpoints. The single affected product per CPE is cpe:2.3:a:dotcms:dotcms_core:*.

RemediationAI

Upgrade to dotCMS Core 26.04.28-03, which adds parameterized queries and requires an authenticated backend user holding the publishing-queue portlet permission to call these endpoints (Vendor-released patch: 26.04.28-03); see the advisory at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 and the patch at https://github.com/dotCMS/core/pull/35553. If immediate patching is not possible, restrict or block external access to the /api/auditPublishing/get and /api/auditPublishing/getAll paths at the reverse proxy or WAF and allow them only from trusted push-publish sender endpoints - note this will break push-publishing/audit synchronization between dotCMS environments that legitimately call these endpoints, so allowlist known sender IPs rather than blocking outright where push publishing is in use. LTS deployments require no action as they are not affected.

Share

CVE-2026-8054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy