CVE-2026-8054

CRITICAL NUCLEI LAB

Unauthenticated SQL Injection in dotCMS Publish Audit API

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-8054. PoCs published by Mr-xn. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a Docker-based environment to exploit CVE-2026-8054 in dotCMS 25.11.04-1, likely involving JNDI injection or database misconfiguration. The setup includes PostgreSQL and Elasticsearch dependencies, with scripts to configure the vulnerable environment.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

Exploits (1)

github WORKING POC

by Mr-xn · dockerfilepoc

https://github.com/Mr-xn/CVE-2026-8054

View Code ZIP pw:eip

This repository provides a Docker-based environment to exploit CVE-2026-8054 in dotCMS 25.11.04-1, likely involving JNDI injection or database misconfiguration. The setup includes PostgreSQL and Elasticsearch dependencies, with scripts to configure the vulnerable environment.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: dotCMS 25.11.04-1

No auth needed

Prerequisites: Docker environment · PostgreSQL and Elasticsearch containers

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 09, 2026 Full analysis →

Nuclei Templates (1)

dotCMS Core Publish Audit API - Unauthenticated SQL Injection

CRITICALby DhiyaneshDk

Shodan: http.title:"dotcms"

FOFA: title="dotcms"

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

dotCMS Known Security Issues — SI-75

https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75

Patch patch

dotCMS/core#35553 — Fix SQL injection in Publish Audit API

https://github.com/dotCMS/core/pull/35553

Scores

CVSS v4 10.0

EPSS 0.0633

EPSS Percentile 91.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull dotcms/dotcms:25.11.04-1

docker pull elasticsearch:7.17.24

https://github.com/Mr-xn/CVE-2026-8054

View in Library

Details

CWE

CWE-89

Status published

Products (2)

dotCMS/dotCMS Core 25.11.04-1 - 26.04.28-02

dotCMS/dotCMS Core 26.04.28-03

Published May 27, 2026

Tracked Since May 27, 2026