Impact
An unauthenticated SQL injection flaw exists in the /api/auditPublishing/get and /api/auditPublishing/getAll endpoints of dotCMS Core. Unsanitized user input is concatenated into dynamically constructed SQL statements, enabling attackers to read, modify, or delete arbitrary database records. This weakness is classified as CWE‑89 and threatens the confidentiality and integrity of the CMS data.
Affected Systems
dotCMS Core versions 25.11.04‑1 through 26.04.28‑02, inclusive. Versions newer than 26.04.28‑02, including LTS releases, are not affected because the vulnerable code path was never backported.
Risk and Exploitability
The CVSS score of 10 indicates critical severity. The EPSS score of 1% suggests a low likelihood of exploitation at the time of analysis, yet the affected endpoints accept unauthenticated requests, making the attack vector clear over the network. The vulnerability is not listed in the CISA KEV catalog. The official fix requires updating to dotCMS Core 26.04.28‑03 or later, which enforces authentication and the publishing‑queue portlet permission before processing any request.
OpenCVE Enrichment