CVE-2022-26352

CRITICAL KEV RANSOMWARE NUCLEI

dotcms 3.0-22.02 - Unauthenticated Path Traversal and Remote Code Execution via ContentResource API

Title source: llm

Exploitation Summary

CVE-2022-26352 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Shubham Shah, Hussein Daher, jheysel-r7, including a Metasploit module exploits/multi/http/dotcms_file_upload_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a path traversal vulnerability in dotCMS (CVE-2022-26352) to upload a malicious JSP file to the webapp/ROOT directory, achieving remote code execution. The exploit leverages unsanitized filenames in multipart requests to write files outside the intended temp directory.

Description

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Shubham Shah, Hussein Daher, jheysel-r7 · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/dotcms_file_upload_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a path traversal vulnerability in dotCMS (CVE-2022-26352) to upload a malicious JSP file to the webapp/ROOT directory, achieving remote code execution. The exploit leverages unsanitized filenames in multipart requests to write files outside the intended temp directory.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: dotCMS (versions affected by CVE-2022-26352)

No auth needed

Prerequisites: Network access to the dotCMS API endpoint · dotCMS instance vulnerable to CVE-2022-26352

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

DotCMS - Arbitrary File Upload

CRITICALby h1ei1

Shodan: http.title:"dotcms"

FOFA: title="dotcms"

References (3)

Core 3

Core References

Permissions Required, Third Party Advisory x_refsource_misc

https://groups.google.com/g/dotcms

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26352

Scores

CVSS v3 9.8

EPSS 0.9431

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-08-25

VulnCheck KEV 2022-07-14

InTheWild.io 2022-08-25

ENISA EUVD EUVD-2022-30911

Ransomware Use Confirmed

Status published

Products (1)

dotcms/dotcms 3.0 - 22.02

Published Jul 17, 2022

KEV Added Aug 25, 2022

Tracked Since Feb 18, 2026