Dotcms Dotcms Core
6 CVEs affecting Dotcms Dotcms Core. Latest disclosed: 2026-05-27. Critical: 1, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-4447 | Critical | 9.9 | 2024-07-26 | In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dw… |
CVE-2024-3938 | Medium | 5.4 | 2024-07-25 | The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrate… |
CVE-2023-3042 | Medium | 5.3 | 2023-10-17 | In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access… |
CVE-2024-3165 | Medium | 4.5 | 2024-04-01 | System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a mode… |
CVE-2024-3164 | Medium | 4.5 | 2024-04-01 | In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone wi… |
CVE-2026-8054 | | 2026-05-27 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/audi… |