Cyber Resilience

CVE-2025-8311

Critical

Published: 04 September 2025

Published
04 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0220 84.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8311 is a critical-severity SQL Injection (CWE-89) vulnerability in Dotcms (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

dotCMS versions 24.03.22 and later contain a Boolean-based blind SQL injection vulnerability in the /api/v1/contenttype endpoint. The sites query parameter accepts a comma-separated list of site identifiers or keys that is directly concatenated into a SQL query without sanitization, allowing malformed input to alter query logic.

An authenticated attacker with low privileges can supply crafted values to the sites parameter and leverage automated tools such as SQLMap to extract arbitrary database contents, escalate privileges, or induce denial-of-service conditions through repeated or resource-intensive payloads. Full database exfiltration has been demonstrated in verification testing.

The vendor advisory at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-73 states that the issue is resolved in dotCMS releases 25.08.14, 25.07.10-1v2 LTS, 24.12.27v10 LTS, and 24.04.24v21 LTS. The associated EPSS score has remained flat at 0.0220 with no material increase since disclosure.

EU & UK References

Vulnerability details

dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter,…

more

which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Dotcms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References