Selçuk Güney

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** Backend users with write access to the `form definition` database table can directly create, update, or delete form definition records using the DataHandler. This process bypasses the Form Framework's persistence validation and permission checks, enabling the injection of arbitrary form configurations. This can lead to SQL injection and privilege escalation. **Recommendations** Update TYPO3 CMS to a version later than 14.3.3.