Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2026-8054
PUBLISHEDUnauthenticated SQL Injection in dotCMS Publish Audit API
- Vendor
- dotCMS
- Product
- dotCMS Core
- Published
- May 27, 2026
- EPSS
- —
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Weaknesses (CWE)
-
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Exploitation status
Proof of concept available
Recorded 2026-06-08 16:40:00 UTC · GitHub
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-8054.yaml | Jun 10, 2026 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-06-09 03:27:09 UTC · 0 stars
dotCMS Pre-auth SQL Injection
nuclei · Created Unknown
1 private PoC available
Private PoC details are only available through the KEVIntel Pro API.
Learn about Pro API accessTimeline
-
Detected by Nuclei
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved