CVE-2022-26352
CVE-2022-26352 is a critical-severity vulnerability in Dotcms with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-25).
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 92% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-08-25)
- EU (EUVD) id: EUVD-2022-30911
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-08-25)
- Affected product: Dotcms
- Published:
- Last modified:
Description
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
CVE-2022-26352: dotCMS ContentResource Directory Traversal and Arbitrary File Upload
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2022-26352 |
| Vendor | dotCMS |
| Product | dotCMS |
| Severity | Critical |
| CVSS v3.1 | 9.8 |
| EPSS | 0.91501 (99.8th percentile) |
| KEV | Added 2022-08-25 |
| Affected | 3.0 – 22.02 |
Summary
CVE-2022-26352 is a directory traversal vulnerability in dotCMS's ContentResource API. Insufficient sanitization of the filename parameter in multipart form requests allows attackers to write files outside the intended upload directory. When anonymous content creation is enabled, an unauthenticated attacker can upload an executable file—such as a .jsp file—to a web-accessible path, leading to remote code execution.
Background
dotCMS is an open-source content management system written in Java. The ContentResource API provides HTTP endpoints for content creation, including multipart form submissions that allow users to upload files. This endpoint is exposed to frontend users and editorial workflows, making it a sensitive attack surface in typical deployments.
Root cause
The vulnerability arises from insufficient sanitization of the filename field supplied in multipart form uploads handled by the ContentResource API. The application fails to validate or strip directory traversal sequences (for example, ../) from the user-provided filename before computing the destination path on the underlying filesystem. Consequently, the attacker can influence the final write location, bypassing the intended storage boundary. This is a path traversal weakness in a file upload handling routine.
Impact
The CVSS v3.1 score of 9.8 (Critical) reflects that the vulnerability is exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction. The confidentiality, integrity, and availability impacts are all rated HIGH.
Successful exploitation can result in arbitrary file upload to web-accessible or sensitive directories. If an executable file such as a .jsp is placed in a directory served by the application server, the attacker can achieve remote code execution. Even in the absence of code execution, the traversal can be abused to overwrite or pollute files on the host filesystem.
Exploitation walkthrough
The attack surface is the ContentResource API's multipart form endpoint. An attacker constructs a multipart HTTP request where the filename field contains directory traversal sequences. Because the application does not sanitize this value before writing the file, the content is saved to a directory outside the intended upload folder.
If anonymous content creation is enabled, the attacker does not need valid credentials. An executable file placed in a web-accessible directory may be processed by the servlet container, granting the attacker remote code execution.
Ethics caveat: This description is provided for defensive purposes only. Security researchers and operators should test only on systems they own or have explicit written authorization to assess.
Affected and patched versions
- Affected: dotCMS 3.0 through 22.02
- Patched: Versions after 22.02 are not affected. Users should upgrade to the latest available release or consult the vendor's release notes for the specific fix.
Remediation
- Upgrade: Update dotCMS to a version newer than 22.02. Verify the fix in the vendor's changelog or release notes before deploying.
- Disable anonymous content creation: If anonymous content creation is not required, disable it to prevent unauthenticated exploitation of this endpoint.
- Input validation: Deploy a web application firewall (WAF) or reverse proxy rule that inspects
multipart/form-datarequests and blocks directory traversal patterns in thefilenameparameter. - File system controls: Restrict the application process's write permissions to the intended upload directory. Ensure that uploaded files cannot be executed by the web server or application server.
- Network segmentation: Limit exposure of the ContentResource API to trusted administrative networks where possible.
Detection
- Monitor HTTP access logs for
POSTrequests to the ContentResource API containing../or URL-encoded traversal sequences in multipartfilenamefields. - Alert on file creation events outside the designated dotCMS asset or upload directories, especially for executable extensions such as
.jsp. - Use file integrity monitoring (FIM) on the web application root to detect unauthorized file placement.
- Correlate multipart uploads with subsequent requests to unusual paths or unexpected child processes spawned by the application server.
Assessment
This vulnerability carries an EPSS score of 0.91501 (99.8th percentile), indicating a very high probability of active exploitation in the wild. Its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog on 2022-08-25, and its presence on the EU's exploited vulnerabilities list since the same date, confirms that threat actors have successfully weaponized it.
Key lessons:
- File upload endpoints must always sanitize user-provided filenames, stripping path separators and traversal sequences before any filesystem operation.
- Anonymous or unauthenticated content creation features dramatically expand the attack surface of upload vulnerabilities and should be disabled by default unless explicitly required.
References
Frequently asked questions
- What is CVE-2022-26352?
- An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
- How severe is CVE-2022-26352?
- CVE-2022-26352 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-26352 being actively exploited?
- Yes. CVE-2022-26352 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-26352?
- CVE-2022-26352 affects Dotcms. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-26352?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-26352 have an EU (EUVD) identifier?
- Yes. CVE-2022-26352 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-30911. It is also flagged as exploited in the EUVD (since 2022-08-25).
- When was CVE-2022-26352 published?
- CVE-2022-26352 was published on 2022-07-17 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html
- https://groups.google.com/g/dotcms
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26352
Affected products (1)
- cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*
More vulnerabilities in Dotcms
- CVE-2025-11165 — Critical (CVSS 9.9): A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users…
- CVE-2020-19138 — Critical (CVSS 9.8): Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute…
- CVE-2020-6754 — Critical (CVSS 9.8): dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to…
- CVE-2017-5344 — Critical (CVSS 9.8): An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web…
- CVE-2016-2355 — Critical (CVSS 9.8): SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL…
- CVE-2016-8902 — Critical (CVSS 9.8): SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated…