SQL injection in Joomla extension DT Register allows remote unauthenticated attacker to execute malicous SQL commands. Step-by-Step Proof-of-Concept and interesting communication with vendor.

CVE-2016-8600 dotCMS before version 3.6.0 allows attacker to programmatically reuse valid captcha code.

CVE-2016-4803 Email Header Injection vulnerability in dotCMS framework allows attacker to send malicious emails using "valid" and "trusted" email server.