CVE-2026-8054

Name of the Vulnerable Software and Affected Versions dotCMS Core versions 25.11.04-1 through 26.04.28-02

Description Improper neutralization of special elements used in an SQL command allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The issue exists in the Publish Audit API endpoints "/api/auditPublishing/get" and "/api/auditPublishing/getAll", which do not enforce authentication and accept unsanitized input used in dynamically constructed SQL. This enables an attacker to impact the entire dotCMS PostgreSQL database with a single HTTP request.

Recommendations Update to version 26.04.28-03 or later to ensure the endpoints require an authenticated backend user with the publishing-queue portlet permission.