The SQL injection vulnerability in dotCMS can be exploited by an unauthenticated attacker through CSRF or as a user with Publisher permissions, allowing arbitrary database entries and potentially Remote Code Execution if the H2 database is used. An attacker can exploit the Push Publishing feature to inject SQL syntax, and the lack of input sanitization and prepared statements makes it possible to execute stacked SQL queries. The vulnerability was reported in 2019 and addressed in release 5.1.6, which includes a URL filter that prevents exploitation by bypassing curly braces in URLs.