{"repro_id":"REPRO-2026-00194","version":31,"title":"Unauthenticated SQL injection in dotCMS Publish Audit API","repro_type":"security","status":"published","severity":"critical","description":"CVE-2026-8054 / GHSA-jpx3-25r2-jq5g affects dotCMS Core Publish Audit API endpoints. Public advisory data reports unauthenticated SQL injection in /api/auditPublishing/get and /api/auditPublishing/getAll for dotCMS Core versions 25.11.04-1 through 26.04.28-02, fixed in 26.04.28-03. The vulnerable path was not backported to LTS releases.","cve_id":"CVE-2026-8054","cwe_id":"CWE-89 SQL Injection","package":{"name":"dotCMS/core","ecosystem":"github","affected_versions":"dotCMS Core 25.11.04-1 through 26.04.28-02"},"reproduced_at":"2026-07-01T20:47:27.020705+00:00","duration_secs":6967.0,"tool_calls":532,"handoffs":3,"total_cost_usd":10.151798939999995,"agent_costs":{"coding":0.24372585000000005,"hypothesis_generator":0.07394246,"judge":0.595943,"repro":8.075981039999995,"support":0.06707869,"vuln_variant":1.0951278999999998},"cost_breakdown":{"coding":{"accounts/fireworks/models/kimi-k2p7-code":0.24372585000000005},"hypothesis_generator":{"accounts/fireworks/models/kimi-k2p7-code":0.07394246},"judge":{"gpt-5.5":0.595943},"repro":{"accounts/fireworks/models/kimi-k2p7-code":8.075981039999995},"support":{"accounts/fireworks/models/kimi-k2p7-code":0.06707869},"vuln_variant":{"accounts/fireworks/models/kimi-k2p7-code":1.0951278999999998}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"published_at":"2026-07-01T20:47:27.911541+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":15003,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":7936,"category":"analysis"},{"path":"bundle/vuln_variant/reproduction_steps.sh","filename":"reproduction_steps.sh","size":11853,"category":"reproduction_script"},{"path":"bundle/vuln_variant/rca_report.md","filename":"rca_report.md","size":7602,"category":"analysis"},{"path":"bundle/coding/proposed_fix.diff","filename":"proposed_fix.diff","size":6795,"category":"patch"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":657,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":1963,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":1457,"category":"ticket"},{"path":"bundle/logs/fixed_opensearch_container.log","filename":"fixed_opensearch_container.log","size":35467,"category":"log"},{"path":"bundle/logs/vuln_dotcms_container.log","filename":"vuln_dotcms_container.log","size":210253,"category":"log"},{"path":"bundle/logs/fixed_dotcms_container.log","filename":"fixed_dotcms_container.log","size":210767,"category":"log"},{"path":"bundle/logs/vuln_opensearch_container.log","filename":"vuln_opensearch_container.log","size":36475,"category":"log"},{"path":"bundle/logs/vuln_results.json","filename":"vuln_results.json","size":336,"category":"other"},{"path":"bundle/logs/fixed_results.json","filename":"fixed_results.json","size":536,"category":"other"},{"path":"bundle/logs/timing_summary.tsv","filename":"timing_summary.tsv","size":479,"category":"other"},{"path":"bundle/logs/vuln_postgres_container.log","filename":"vuln_postgres_container.log","size":4203,"category":"log"},{"path":"bundle/logs/fixed_postgres_container.log","filename":"fixed_postgres_container.log","size":4203,"category":"log"},{"path":"bundle/logs/test_api.py","filename":"test_api.py","size":2066,"category":"script"},{"path":"bundle/logs/verdict.json","filename":"verdict.json","size":19,"category":"other"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":18818,"category":"log"},{"path":"bundle/vuln_variant/test_variant.py","filename":"test_variant.py","size":3984,"category":"script"},{"path":"bundle/vuln_variant/variant_manifest.json","filename":"variant_manifest.json","size":3157,"category":"other"},{"path":"bundle/vuln_variant/runtime_manifest.json","filename":"runtime_manifest.json","size":847,"category":"other"},{"path":"bundle/vuln_variant/root_cause_equivalence.json","filename":"root_cause_equivalence.json","size":2317,"category":"other"},{"path":"bundle/vuln_variant/patch_analysis.md","filename":"patch_analysis.md","size":5490,"category":"documentation"},{"path":"bundle/vuln_variant/validation_verdict.json","filename":"validation_verdict.json","size":999,"category":"other"},{"path":"bundle/logs/vuln_variant_reproduction_steps.log","filename":"vuln_variant_reproduction_steps.log","size":7574,"category":"log"},{"path":"bundle/logs/vuln_variant_results.json","filename":"vuln_variant_results.json","size":2446,"category":"other"},{"path":"bundle/logs/vuln_variant_analysis.json","filename":"vuln_variant_analysis.json","size":2109,"category":"other"},{"path":"bundle/logs/fixed_variant_results.json","filename":"fixed_variant_results.json","size":4096,"category":"other"},{"path":"bundle/logs/verify_fix.log","filename":"verify_fix.log","size":935,"category":"log"},{"path":"bundle/coding/summary_report.md","filename":"summary_report.md","size":5310,"category":"documentation"},{"path":"bundle/coding/verify_fix.sh","filename":"verify_fix.sh","size":2025,"category":"other"}]}