Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Published: 2026-05-27
Score: 10 Critical
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated SQL injection flaw exists in the /api/auditPublishing/get and /api/auditPublishing/getAll endpoints of dotCMS Core. Unsanitized user input is concatenated into dynamically constructed SQL statements, enabling attackers to read, modify, or delete arbitrary database records. This weakness is classified as CWE‑89 and threatens the confidentiality and integrity of the CMS data.

Affected Systems

dotCMS Core versions 25.11.04‑1 through 26.04.28‑02, inclusive. Versions newer than 26.04.28‑02, including LTS releases, are not affected because the vulnerable code path was never backported.

Risk and Exploitability

The CVSS score of 10 indicates critical severity. The EPSS score of 1% suggests a low likelihood of exploitation at the time of analysis, yet the affected endpoints accept unauthenticated requests, making the attack vector clear over the network. The vulnerability is not listed in the CISA KEV catalog. The official fix requires updating to dotCMS Core 26.04.28‑03 or later, which enforces authentication and the publishing‑queue portlet permission before processing any request.

Generated by OpenCVE AI on June 18, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dotCMS Core to version 26.04.28‑03 or later, which implements authentication and permission checks for the affected API endpoints.
  • If an upgrade is not immediately possible, block external access to the /api/auditPublishing/get and /api/auditPublishing/getAll endpoints at the network or application firewall level to prevent unauthenticated exploitation.
  • Ensure that any remaining access to these endpoints enforces proper user authentication and the publishing‑queue permission, and verify that input is sanitized before any database operation is performed.

Generated by OpenCVE AI on June 18, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Dotcms
Dotcms dotcms
Vendors & Products Dotcms
Dotcms dotcms

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Title Unauthenticated SQL Injection in dotCMS Publish Audit API
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: dotCMS

Published:

Updated: 2026-05-27T13:40:13.159Z

Reserved: 2026-05-06T19:20:23.237Z

Link: CVE-2026-8054

cve-icon Vulnrichment

Updated: 2026-05-27T13:40:09.444Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T09:16:32.630

Modified: 2026-06-17T11:03:26.277

Link: CVE-2026-8054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')