CVE-2026-8054
Published: 27 May 2026
Summary
CVE-2026-8054 is a critical-severity SQL Injection (CWE-89) vulnerability in Dotcms (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-8054 is an SQL injection vulnerability (CWE-89) affecting the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core versions 25.11.04-1 through 26.04.28-02. The endpoints accepted unsanitized input that was used directly in dynamically constructed SQL statements and did not enforce any authentication checks, resulting in a CVSS 4.0 score of 10.0.
Remote unauthenticated attackers can exploit the flaw over the network to read, modify, or destroy arbitrary database content without any user interaction or privileges.
The referenced advisory and pull request state that the issue is resolved in dotCMS Core 26.04.28-03 by requiring an authenticated backend user possessing the publishing-queue portlet permission; LTS releases are unaffected because the vulnerable code path was never backported. The EPSS score has remained flat at 0.0633 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32131
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The…
more
endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQL injection in public API endpoints enables remote exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.