SQL Injection in Dotcms Core

CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote…

Vulnerability class: SQL Injection

EPSS: 0.005 (64.3th percentile) — read the EPSS interpretation.

Affected products

Dotcms Core — versions 25.11.04-1, 26.04.28-03

Weakness classification (CWE)

CWE-89 — SQL Injection

References

security@dotcms.com (vendor-advisory)
security@dotcms.com (patch)