CVE-2026-8054

216.73.216.233

· Published 27/05/2026 09:16 · Modified 27/05/2026 19:38

Labels: CVE-2026-8054 2026-05-27 CVE-2026-8054 CWE-89 [email protected]

Essential information

Published: 27/05/2026 09:16
Modified: 27/05/2026 19:38
Author: —
Creator: —
CVSS: 10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
dotcms / dotcms core	`cpe:2.3:a:dotcms:dotcms_core:25.11.04-26.04.28-02:::::::*`
dotcms / dotcms core	`cpe:2.3:a:dotcms:dotcms_core:26.04.28-03:::::::*`