CVE-2026-8054

Source
https://cve.org/CVERecord?id=CVE-2026-8054
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8054.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8054
Published
2026-05-27T07:55:25.905Z
Modified
2026-07-08T08:13:52.971733935Z
Severity
  • 10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Unauthenticated SQL Injection in dotCMS Publish Audit API
Details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8054.json",
    "cna_assigner": "dotCMS",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/dotcms/core

Affected ranges

Type
GIT
Repo
https://github.com/dotcms/core
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "25.11.04-1"
        },
        {
            "last_affected": "26.04.28-02"
        },
        {
            "fixed": "26.04.28-02"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8054.json"