← back
CVE-2022-26352

CVE-2022-26352

CVSS 9.8 CRITICALEPSS 91.5%● KEV
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS 9.8EPSS 91.5%KEV simPoC públicaNuclei simMetasploit simPatch
Lifecycle
03 May 2022Metasploit module available
17 Jul 2022Published on NVD
25 Aug 2022Active exploitation (CISA KEV)
Weaponization speed
38 daysto active exploitation (KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A vulnerability in dotCMS allows attackers to upload files with unsanitized names, enabling them to save files outside the intended directory and execute malicious code on the server without needing authentication.

Technical detail

The ContentResource API in dotCMS 3.0–22.02 fails to sanitize filenames in multipart form requests, enabling directory traversal attacks. Unauthenticated attackers can exploit this (when anonymous content creation is enabled) to upload executable files (e.g., .jsp) to arbitrary locations, achieving remote code execution on the server.

Summary generated and translated by AI from the official description.
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.