CVE-2026-8054: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dotCMS dotCMS Core
CVE-2026-8054 is a critical SQL Injection vulnerability in dotCMS Core versions 25. 11. 04-1 through 26. 04. 28-02 affecting the Publish Audit API endpoints. These endpoints did not enforce authentication and accepted unsanitized input in dynamically constructed SQL queries, allowing remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The vulnerability is fixed in dotCMS Core 26. 04. 28-03 by requiring an authenticated backend user with specific permissions. Long-term support (LTS) releases are not affected as the vulnerable code was never backported.
AI Analysis
Technical Summary
This vulnerability involves improper neutralization of special elements in SQL commands (SQL Injection) in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) of dotCMS Core. The affected versions (25.11.04-1 through 26.04.28-02) allowed unauthenticated remote attackers to execute arbitrary SQL commands due to lack of authentication enforcement and unsanitized input handling. The fix introduced in version 26.04.28-03 enforces authentication and permission checks, mitigating the risk. LTS versions remain unaffected.
Potential Impact
Exploitation of this vulnerability allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content within the affected dotCMS Core versions. This can lead to complete compromise of the database integrity and confidentiality. The CVSS 4.0 base score is 10.0, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available in dotCMS Core version 26.04.28-03, which requires authenticated backend users with the publishing-queue portlet permission to access the affected API endpoints. Users should upgrade to this version or later to remediate the vulnerability. LTS releases are not affected and do not require action. Patch status is confirmed by the vendor advisory embedded in the description.
CVE-2026-8054: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dotCMS dotCMS Core
Description
CVE-2026-8054 is a critical SQL Injection vulnerability in dotCMS Core versions 25. 11. 04-1 through 26. 04. 28-02 affecting the Publish Audit API endpoints. These endpoints did not enforce authentication and accepted unsanitized input in dynamically constructed SQL queries, allowing remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The vulnerability is fixed in dotCMS Core 26. 04. 28-03 by requiring an authenticated backend user with specific permissions. Long-term support (LTS) releases are not affected as the vulnerable code was never backported.
CVSS v4.0
Score 10.0critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper neutralization of special elements in SQL commands (SQL Injection) in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) of dotCMS Core. The affected versions (25.11.04-1 through 26.04.28-02) allowed unauthenticated remote attackers to execute arbitrary SQL commands due to lack of authentication enforcement and unsanitized input handling. The fix introduced in version 26.04.28-03 enforces authentication and permission checks, mitigating the risk. LTS versions remain unaffected.
Potential Impact
Exploitation of this vulnerability allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content within the affected dotCMS Core versions. This can lead to complete compromise of the database integrity and confidentiality. The CVSS 4.0 base score is 10.0, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available in dotCMS Core version 26.04.28-03, which requires authenticated backend users with the publishing-queue portlet permission to access the affected API endpoints. Users should upgrade to this version or later to remediate the vulnerability. LTS releases are not affected and do not require action. Patch status is confirmed by the vendor advisory embedded in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- dotCMS
- Date Reserved
- 2026-05-06T19:20:23.237Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16b394e29bf47b50abe8cb
Added to database: 5/27/2026, 9:04:20 AM
Last enriched: 5/27/2026, 9:18:23 AM
Last updated: 5/27/2026, 10:07:46 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.