SQL Injection Vulnerability in dotCMS Core Affecting Publishing APIs
CVE-2026-8054

10CRITICAL

Key Information:

Vendor: Dotcms
Status: Dotcms Core
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-8054?

A vulnerability in the Publish Audit API endpoints of dotCMS Core allows remote unauthenticated attackers to exploit improper neutralization of special elements in SQL commands. This can lead to unauthorized reading, modification, or destruction of database content. The API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) fail to enforce necessary authentication measures, permitting unsanitized input in dynamically constructed SQL queries. The issue was addressed in dotCMS Core version 26.04.28-03, which requires authenticated backend users with specific permissions to access these endpoints. Notably, LTS releases are unaffected as the vulnerable code patch was not backported.

Affected Version(s)

dotCMS Core 25.11.04-1 <= 26.04.28-02

dotCMS Core 26.04.28-03

References

https://dev.dotcms.com/docs/known-security-issues?issueNu...

vendor-advisory

https://github.com/dotCMS/core/pull/35553

patch

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 6, 2026

Credit

Gerhard Botha — reported to dotCMS through responsible disclosure. Gerhard's GitHub profile: https://github.com/GerhardBotha97

CVE-2026-8054 Data

JSON

Dotcms

What is CVE-2026-8054?

Affected Version(s)

References

CVSS V4

Timeline

Credit