Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
The endpoints /api/auditPublishing/get and /api/auditPublishing/getAll did not enforce authentication and accepted unsanitized user input that was directly used to dynamically construct SQL queries. An attacker could inject malicious SQL expressions through HTTP request parameters, gaining full control over queries directed to the database. The patch introduced in version 26.04.28-03 now requires authentication as a backend user with permission to the publishing-queue portlet.
An attacker can read, modify, or destroy any content in the dotCMS system database without authentication, which may lead to disclosure of sensitive data, account takeover, or complete destruction of application data.
dotCMS Core must be updated to version 26.04.28-03 or later. Patch details are available in the official vendor documentation at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 and in the pull request https://github.com/dotCMS/core/pull/35553.
dotCMS Core versions 25.11.04-1 through 26.04.28-02 (inclusive). LTS versions are not vulnerable — the vulnerable code was never backported to them.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X