CVE-2026-8827

Name of the Vulnerable Software and Affected Versions Address List (tt address) (affected versions not specified)

Description The AddressRepository::getSqlQuery() function constructs a database query without properly sanitizing user input, which can lead to SQL Injection (a technique where malicious SQL statements are inserted into entry fields for execution). While this method is not called within the extension by default, custom extensions that invoke it using untrusted input can expose the site to this risk.

Recommendations As a temporary workaround, avoid calling the getSqlQuery() function with untrusted input in custom extensions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.