CVE-2026-8054
published 2026-05-27CVE-2026-8054: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and…
PriorityP183critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.58%
72.5th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotcms | dotcms_core | 25.11.04-1 – 26.04.28-02 | — |
Detection & IOCsextracted from sources · hover to see the quote
command["x' || (SELECT CASE WHEN 1=2 THEN pg_sleep(0)::text ELSE '' END) || '"]
command["x' || (SELECT CASE WHEN 1=1 THEN pg_sleep(5)::text ELSE '' END) || '"]
- →Monitor for unauthenticated POST requests to /api/auditPublishing/get and /api/auditPublishing/getAll — these endpoints should require authentication in patched versions (26.04.28-03+); any unauthenticated access is suspicious. ↗
- →Detect time-based blind SQLi exploitation attempts by alerting on POST bodies to /api/auditPublishing/getAll containing pg_sleep() calls, indicative of PostgreSQL time-delay injection probes.
- →Nuclei template uses a two-step flow: first request validates a baseline 200 response with empty JSON array body, second request triggers a 5-second pg_sleep delay — correlate response duration >= 5s on these endpoints as a strong exploitation signal.
- →Shodan/FOFA/Google dork fingerprinting for exposed dotCMS instances: http.title:"dotcms", title="dotcms", intitle:"dotcms" — use these to identify internet-exposed attack surface.
- ·The SQLi payloads in the Nuclei template are PostgreSQL-specific (pg_sleep). The exploit will only work against dotCMS instances backed by a PostgreSQL database; other database backends are not targeted by this technique.
- ·The fix requires an authenticated backend user with the publishing-queue portlet permission. Ensure WAF/reverse-proxy rules block unauthenticated requests to /api/auditPublishing/* until the patch (26.04.28-03) is applied. ↗
- ·LTS releases are confirmed not affected; do not apply detection rules for this CVE to LTS-track dotCMS deployments to avoid false positives. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jpx3-25r2-jq5g: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and
ghsa_unreviewed·2026-05-27
CVE-2026-8054 [CRITICAL] CWE-89 GHSA-jpx3-25r2-jq5g: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
VulnCheck
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2026·CVSS 10.0
CVE-2026-8054 [CRITICAL] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Required Action: Apply remediations or mitigations per vendor instructions or d
No detection rules found.
Nuclei
dotCMS Core Publish Audit API - Unauthenticated SQL Injection
nuclei·CVSS 10.0
CVE-2026-8054 [CRITICAL] dotCMS Core Publish Audit API - Unauthenticated SQL Injection
dotCMS Core Publish Audit API - Unauthenticated SQL Injection
dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll), letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires no authentication.
Template:
id: CVE-2026-8054
info:
name: dotCMS Core Publish Audit API - Unauthenticated SQL Injection
author: DhiyaneshDk
severity: critical
description: |
dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll), letting remote unauthenticated attackers read, modify, or destroy arbitr
No writeups or analysis indexed.
2026-05-27
Published
Exploited in the wild