{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "HTTP request payload or parameters",
    "claimed_surface": "api_remote",
    "expected_impact": "sql_injection",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": "/api/auditpublishing/get, /api/auditpublishing/getall",
    "required_entrypoint_kind": "endpoint",
    "submission_reason": "ticket_derived",
    "trigger_class": "service_api",
    "upstream_verdicts": null
  },
  "latest_description": "CVE-2026-8054 / GHSA-jpx3-25r2-jq5g affects dotCMS Core Publish Audit API endpoints. Public advisory data reports unauthenticated SQL injection in /api/auditPublishing/get and /api/auditPublishing/getAll for dotCMS Core versions 25.11.04-1 through 26.04.28-02, fixed in 26.04.28-03. The vulnerable path was not backported to LTS releases.\n\nReproduction objective: run a real affected dotCMS application or API server and prove unauthenticated runtime SQL injection through HTTP against the Publish Audit API, not a unit assertion or sanitizer-only check. A strong proof should compare a false-condition request against a true-condition request such as a PostgreSQL time-delay payload using pg_sleep, capture concrete timing/HTTP logs, and show the request reaches the real endpoint without authentication. Include a negative control using the fixed version 26.04.28-03 or equivalent patched behavior where the same request no longer produces the SQLi timing effect.\n\nKnown references: https://kevintel.com/CVE-2026-8054#overview, https://github.com/advisories/GHSA-jpx3-25r2-jq5g, https://github.com/dotCMS/core/pull/35553, https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-8054.yaml. Known product repository: https://github.com/dotCMS/core.",
  "product": "dotCMS Core",
  "severity": "critical",
  "status": "open",
  "summary": "Unauthenticated SQL injection in dotCMS Publish Audit API",
  "ticket_id": "CVE-2026-8054"
}