CVE-2026-8054

UNKNOWN 0.0

Unauthenticated SQL Injection in dotCMS Publish Audit API

CVSS Score

0.0

EPSS Score

0.4%

EPSS Percentile

60th

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

CWE	CWE-89
Vendor	dotcms
Product	dotcms core
Published	May 27, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for dotcms dotcms core

Be the first to know when new unknown vulnerabilities affecting dotcms dotcms core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

dotCMS / dotCMS Core

25.11.04-1 ≤ 26.04.28-02

References

NVD ↗ CVE.org ↗ EPSS Data ↗

dev.dotcms.com: https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 github.com: https://github.com/dotCMS/core/pull/35553

Credits

Gerhard Botha — reported to dotCMS through responsible disclosure. Gerhard's GitHub profile: https://github.com/GerhardBotha97