Home

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-27 | Updated 2026-05-27 | Assigner dotCMS




CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

25.11.04-1 (custom)
affected

26.04.28-03 (custom)
unaffected

Credits

Gerhard Botha — reported to dotCMS through responsible disclosure. Gerhard's GitHub profile: https://github.com/GerhardBotha97 finder

References

dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 (dotCMS Known Security Issues — SI-75) vendor-advisory

github.com/dotCMS/core/pull/35553 (dotCMS/core#35553 — Fix SQL injection in Publish Audit API) patch

cve.org (CVE-2026-8054)

nvd.nist.gov (CVE-2026-8054)

Download JSON