CVE-2026-8054 (GCVE-0-2026-8054)
Vulnerability from cvelistv5 – Published: 2026-05-27 07:55 – Updated: 2026-05-27 13:40
VLAI
KEVIntel
Title
Unauthenticated SQL Injection in dotCMS Publish Audit API
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://dev.dotcms.com/docs/known-security-issues… | vendor-advisory |
| https://github.com/dotCMS/core/pull/35553 | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dotCMS | dotCMS Core |
Affected:
25.11.04-1 , ≤ 26.04.28-02
(custom)
Unaffected: 26.04.28-03 (custom) |
Credits
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: fb05ca4f-cbab-41af-a562-524a013fc591
Exploited: Yes
Timestamps
First Seen: 2026-06-27
Asserted: 2026-06-27
Scope
Notes: KEVIntel entry: Unauthenticated SQL Injection in dotCMS Publish Audit API | Affected: dotCMS / dotCMS Core | CVSS: 10.0 (CRITICAL) | EPSS: 0.01584 | Used in malware: unknown | Not yet in CISA KEV: True
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | Unauthenticated SQL Injection in dotCMS Publish Audit API |
| Vendor | dotCMS |
| Product | dotCMS Core |
| Added Date | 2026-06-27T14:36:50.219Z |
| Cvss Score | 10.0 |
| Epss Score | 0.01584 |
| Cvss Severity | CRITICAL |
| Epss Percentile | 0.72506 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev | None |
| Not Yet In Cisa Kev | True |
References
Created: 2026-06-27 15:00 UTC
| Updated: 2026-06-27 15:00 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:40:00.690810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:40:13.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/dotCMS/core",
"defaultStatus": "unaffected",
"packageName": "dotcms-core",
"product": "dotCMS Core",
"repo": "https://github.com/dotCMS/core",
"vendor": "dotCMS",
"versions": [
{
"lessThanOrEqual": "26.04.28-02",
"status": "affected",
"version": "25.11.04-1",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "26.04.28-03",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gerhard Botha \u2014 reported to dotCMS through responsible disclosure. Gerhard\u0027s GitHub profile: https://github.com/GerhardBotha97"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in the Publish Audit API endpoints (\u003ccode\u003e/api/auditPublishing/get\u003c/code\u003e and \u003ccode\u003e/api/auditPublishing/getAll\u003c/code\u003e) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker can execute arbitrary SQL against the dotCMS database via the Publish Audit API endpoints, leading to disclosure, modification, or destruction of data."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T07:55:25.905Z",
"orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"shortName": "dotCMS"
},
"references": [
{
"name": "dotCMS Known Security Issues \u2014 SI-75",
"tags": [
"vendor-advisory"
],
"url": "https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75"
},
{
"name": "dotCMS/core#35553 \u2014 Fix SQL injection in Publish Audit API",
"tags": [
"patch"
],
"url": "https://github.com/dotCMS/core/pull/35553"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated SQL Injection in dotCMS Publish Audit API",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
"assignerShortName": "dotCMS",
"cveId": "CVE-2026-8054",
"datePublished": "2026-05-27T07:55:25.905Z",
"dateReserved": "2026-05-06T19:20:23.237Z",
"dateUpdated": "2026-05-27T13:40:13.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-8054",
"date": "2026-06-27",
"epss": "0.01584",
"percentile": "0.72506"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-8054\",\"sourceIdentifier\":\"security@dotcms.com\",\"published\":\"2026-05-27T09:16:32.630\",\"lastModified\":\"2026-05-27T19:38:33.270\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@dotcms.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security@dotcms.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75\",\"source\":\"security@dotcms.com\"},{\"url\":\"https://github.com/dotCMS/core/pull/35553\",\"source\":\"security@dotcms.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-8054\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T13:40:00.690810Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T13:40:09.444Z\"}}], \"cna\": {\"title\": \"Unauthenticated SQL Injection in dotCMS Publish Audit API\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gerhard Botha \\u2014 reported to dotCMS through responsible disclosure. Gerhard\u0027s GitHub profile: https://github.com/GerhardBotha97\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"An unauthenticated remote attacker can execute arbitrary SQL against the dotCMS database via the Publish Audit API endpoints, leading to disclosure, modification, or destruction of data.\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 10, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/dotCMS/core\", \"vendor\": \"dotCMS\", \"product\": \"dotCMS Core\", \"versions\": [{\"status\": \"affected\", \"version\": \"25.11.04-1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"26.04.28-02\"}, {\"status\": \"unaffected\", \"version\": \"26.04.28-03\", \"versionType\": \"custom\"}], \"packageName\": \"dotcms-core\", \"collectionURL\": \"https://github.com/dotCMS/core\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75\", \"name\": \"dotCMS Known Security Issues \\u2014 SI-75\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/dotCMS/core/pull/35553\", \"name\": \"dotCMS/core#35553 \\u2014 Fix SQL injection in Publish Audit API\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in the Publish Audit API endpoints (\u003ccode\u003e/api/auditPublishing/get\u003c/code\u003e and \u003ccode\u003e/api/auditPublishing/getAll\u003c/code\u003e) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"5b9d93f2-25c7-46b4-ab60-d201718c9dd8\", \"shortName\": \"dotCMS\", \"dateUpdated\": \"2026-05-27T07:55:25.905Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-8054\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-27T13:40:13.159Z\", \"dateReserved\": \"2026-05-06T19:20:23.237Z\", \"assignerOrgId\": \"5b9d93f2-25c7-46b4-ab60-d201718c9dd8\", \"datePublished\": \"2026-05-27T07:55:25.905Z\", \"assignerShortName\": \"dotCMS\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…