Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-8054: dotCMS Core SQL Injection in Publish Audit API
CVE-2026-8054
Summary
Unauthenticated attackers can access, modify, or delete sensitive database content in dotCMS Core versions 25.11.04-1 through 26.04.28-02. This is a serious security risk because it allows unauthorized access to critical data. To fix this, update to dotCMS Core version 26.04.28-03 or later, and ensure your backend user has the necessary permissions.
Original title
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25....
Original description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
nvd CVSS4.0
10.0
Vulnerability type
CWE-89
SQL Injection
Published: 27 May 2026 · Updated: 30 May 2026 · First seen: 27 May 2026