cbcvebase.
CVE-2026-8054
published 2026-05-27

CVE-2026-8054: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and…

PriorityP183critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.58%
72.5th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

Affected

1 ranges
VendorProductVersion rangeFixed in
dotcmsdotcms_core25.11.04-1 – 26.04.28-02

Detection & IOCsextracted from sources · hover to see the quote

url/api/auditPublishing/get
url/api/auditPublishing/getAll
command["x' || (SELECT CASE WHEN 1=2 THEN pg_sleep(0)::text ELSE '' END) || '"]
command["x' || (SELECT CASE WHEN 1=1 THEN pg_sleep(5)::text ELSE '' END) || '"]
  • Monitor for unauthenticated POST requests to /api/auditPublishing/get and /api/auditPublishing/getAll — these endpoints should require authentication in patched versions (26.04.28-03+); any unauthenticated access is suspicious.
  • Detect time-based blind SQLi exploitation attempts by alerting on POST bodies to /api/auditPublishing/getAll containing pg_sleep() calls, indicative of PostgreSQL time-delay injection probes.
  • Nuclei template uses a two-step flow: first request validates a baseline 200 response with empty JSON array body, second request triggers a 5-second pg_sleep delay — correlate response duration >= 5s on these endpoints as a strong exploitation signal.
  • Shodan/FOFA/Google dork fingerprinting for exposed dotCMS instances: http.title:"dotcms", title="dotcms", intitle:"dotcms" — use these to identify internet-exposed attack surface.
  • ·The SQLi payloads in the Nuclei template are PostgreSQL-specific (pg_sleep). The exploit will only work against dotCMS instances backed by a PostgreSQL database; other database backends are not targeted by this technique.
  • ·The fix requires an authenticated backend user with the publishing-queue portlet permission. Ensure WAF/reverse-proxy rules block unauthenticated requests to /api/auditPublishing/* until the patch (26.04.28-03) is applied.
  • ·LTS releases are confirmed not affected; do not apply detection rules for this CVE to LTS-track dotCMS deployments to avoid false positives.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.