CVE-2026-8054

Unauthenticated SQL Injection in dotCMS Publish Audit API

CVSS 10 CRITICALEPSS 1.6%CWE-89

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 10EPSS 1.6%KEV nãoPoC públicaNuclei simMetasploit —Patch referenciado

Lifecycle

27 May 2026Published on NVD

09 Jun 2026Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

dotCMS · dotCMS Core

public PoCs found — 1

githubgithub.com/Mr-xn/CVE-2026-8054★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 https://github.com/dotCMS/core/pull/35553