# CVE-2026-8054

## Summary

Unauthenticated SQL injection in dotCMS Publish Audit API

## Description

CVE-2026-8054 / GHSA-jpx3-25r2-jq5g affects dotCMS Core Publish Audit API endpoints. Public advisory data reports unauthenticated SQL injection in /api/auditPublishing/get and /api/auditPublishing/getAll for dotCMS Core versions 25.11.04-1 through 26.04.28-02, fixed in 26.04.28-03. The vulnerable path was not backported to LTS releases.

Reproduction objective: run a real affected dotCMS application or API server and prove unauthenticated runtime SQL injection through HTTP against the Publish Audit API, not a unit assertion or sanitizer-only check. A strong proof should compare a false-condition request against a true-condition request such as a PostgreSQL time-delay payload using pg_sleep, capture concrete timing/HTTP logs, and show the request reaches the real endpoint without authentication. Include a negative control using the fixed version 26.04.28-03 or equivalent patched behavior where the same request no longer produces the SQLi timing effect.

Known references: https://kevintel.com/CVE-2026-8054#overview, https://github.com/advisories/GHSA-jpx3-25r2-jq5g, https://github.com/dotCMS/core/pull/35553, https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-8054.yaml. Known product repository: https://github.com/dotCMS/core.

## Metadata

- Product: dotCMS Core
- Severity: critical
- Status: open
