CVE-2026-8054
CriticalSummary
In dotCMS Core versions 25.11.04-1 through 26.04.28-02, there is an SQL Injection vulnerability in the Publish Audit API endpoints, allowing remote unauthenticated attackers to read, modify, or destroy arbitrary database content.
Risk Assessment
The lack of authentication in the endpoints poses a significant risk to data integrity within the organization, enabling attackers to manipulate database content.
Recommendation
It is recommended to upgrade to dotCMS Core version 26.04.28-03 or later to enforce authentication for users with the appropriate permissions.
Original NVD description (English source)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

