A pre-auth remote code execution vulnerability was found in DotCMS which was achievable by performing a directory traversal attack during file upload. This vulnerability ultimately allows attacker to execute arbitrary commands on the underlying system.
This vulnerability is exploitable with the default configuration of DotCMS and was tested on version 22.01.
The CVE for this issue is CVE-2022-26352. The advisory from DotCMS can be found here.