CVE Tools

dotcms

Web & CMS Pluginscommercial

31

Cumulative CVEs

15

Monthly snapshots

#51

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting dotcms.

CVE-2025-11165A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by...9.9Feb 24, 2026
CVE-2024-4447In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information ...9.9Jul 26, 2024
CVE-2024-3938The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested...5.4Jul 25, 2024
CVE-2024-3165Database Credential Exposure in the Logs4.5Apr 1, 2024
CVE-2024-3164In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS ...4.5Apr 1, 2024
CVE-2023-3042CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd85.3Oct 17, 2023
CVE-2022-45783An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.6.5Feb 1, 2023
CVE-2022-45782An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to acco...8.8Feb 1, 2023
CVE-2022-37034In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-...5.3Feb 1, 2023
CVE-2022-37033In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving ...6.5Feb 1, 2023
CVE-2022-35740dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter. (This is also fixed in ...6.1Nov 10, 2022
CVE-2022-37431A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false. NOTE: the vendor d...6.1Aug 5, 2022
CVE-2022-26352An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows di...KEV9.8Jul 17, 2022
CVE-2020-19138Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.ja...9.8Sep 8, 2021
CVE-2020-18875Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.8.8Aug 18, 2021