Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

518 matches found

Nuclei
Nucleiadded yesterday36 views

DotCMS < 5.0.2 - Open Redirect

dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forwardjs.jsp FORWARDURL parameter or the html/portlet/ext/common/pagepreviewpopup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify...

6.1CVSS6.3AI score0.03588EPSS
Exploits1References3
Nuclei
Nucleiadded 2026/06/16 7:13 a.m.42 views

DotCMS - Arbitrary File Upload

DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions. id: CVE-2022-26352 info: name: DotCMS - Arbitrary File Upload author: h1ei1 severity: critical description: DotCM...

9.8CVSS8.5AI score0.91501EPSS
Exploits4References5
Nuclei
Nucleiadded 2026/06/09 8:16 a.m.12 views

dotCMS Core Publish Audit API - Unauthenticated SQL Injection

dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires ...

10CVSS5.8AI score0.01178EPSS
Exploits1References3
RedhatCVE
RedhatCVEadded 2026/06/05 7:11 p.m.6 views

CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

10CVSS5.9AI score0.01178EPSS
Exploits1References1
NVD
NVDadded 2026/05/27 9:16 a.m.14 views

CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

10CVSS0.01178EPSS
Exploits1References2
Vulnrichment
Vulnrichmentadded 2026/05/27 7:55 a.m.7 views

CVE-2026-8054 Unauthenticated SQL Injection in dotCMS Publish Audit API

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

10CVSS6.1AI score0.01178EPSS
Exploits1References2
ATTACKERKB
ATTACKERKBadded 2026/05/27 7:55 a.m.5 views

CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

10CVSS6.1AI score0.01178EPSS
Exploits1References3Affected Software1
Cvelist
Cvelistadded 2026/05/27 7:55 a.m.29 views

CVE-2026-8054 Unauthenticated SQL Injection in dotCMS Publish Audit API

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

10CVSS0.01178EPSS
Exploits1References2
CVE
CVEadded 2026/05/27 7:55 a.m.31 views

CVE-2026-8054

dotCMS Core versions 25.11.04-1 to 26.04.28-02 contain an SQL injection in the Publish Audit API (/api/auditPublishing/get and /api/auditPublishing/getAll). The endpoints did not require authentication and used unsanitized input in dynamically constructed SQL, allowing remote unauthenticated atta...

10CVSS6.1AI score0.01178EPSS
Exploits1References2
CNNVD
CNNVDadded 2026/05/27 12:0 a.m.11 views

DotCMS 安全漏洞

DotCMS is an open-source content management system written in Java, developed by DotCMS Inc. It is used to manage content and content-driven websites and applications. There are security vulnerabilities in the DotCMS Core version 25.11.04-1 to 26.04.28-02. These vulnerabilities stem from the...

10CVSS5.8AI score0.01178EPSS
Exploits1References2
Positive Technologies
Positive Technologiesadded 2026/05/27 12:0 a.m.9 views

PT-2026-43625

Name of the Vulnerable Software and Affected Versions dotCMS Core versions 25.11.04-1 through 26.04.28-02 Description Improper neutralization of special elements used in an SQL command allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The issue exists...

10CVSS5.8AI score0.01178EPSS
Exploits1References7
RedhatCVE
RedhatCVEadded 2026/02/25 10:16 a.m.4 views

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.9CVSS5.9AI score0.00303EPSS
Exploits0References1
OSV
OSVadded 2026/02/24 9:16 a.m.7 views

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.9CVSS6AI score
Exploits0References1
NVD
NVDadded 2026/02/24 9:16 a.m.6 views

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.9CVSS0.00303EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/02/24 8:27 a.m.7 views

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.4CVSS5.9AI score0.00303EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/02/24 8:27 a.m.6 views

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.4CVSS5.8AI score0.00303EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/02/24 8:27 a.m.19 views

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.4CVSS0.00303EPSS
Exploits0References1
EUVD
EUVDadded 2026/02/24 8:27 a.m.7 views

EUVD-2025-207542

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.4CVSS5.9AI score0.00303EPSS
Exploits0References1
CVE
CVEadded 2026/02/24 8:27 a.m.13 views

CVE-2025-11165

Affects dotCMS with its Velocity scripting engine (VTools). The issue is a sandbox escape where authenticated users with scripting privileges can bypass SecureUberspectorImpl protections by dynamically altering the Velocity runtime configuration and reinitializing its Uberspect, removing introspe...

9.9CVSS5.9AI score0.00303EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologiesadded 2026/02/24 12:0 a.m.7 views

PT-2026-21673

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

9.4CVSS5.8AI score0.00303EPSS
Exploits0References2
Rows per page
Query Builder