Vulnerabilities in dotCMS
8 resultsCVE-2026-8054CRITICALUnauthenticated SQL Injection in dotCMS Publish Audit APIEPSS 1.6%CVE-2025-8311CRITICALdotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uEPSS 1.6%CVE-2024-3165MEDIUMDatabase Credential Exposure in the LogsEPSS 0.5%CVE-2024-4447CRITICALIn the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjaEPSS 0.5%CVE-2024-3164MEDIUMIn dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is acceEPSS 0.5%CVE-2023-3042MEDIUMCNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8EPSS 0.4%CVE-2025-11165CRITICALA sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privilegEPSS 0.3%CVE-2024-3938MEDIUMThe "reset password" login page accepted an HTML injection via URL parameters.
This has already been rectified via patch, and as such it caEPSS 0.2%