PT-2026-47748 · Typo3 · Typo3/Cms
Oliver Hader
+1
·
Published
2026-06-09
·
Updated
2026-06-09
·
CVE-2026-49741
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
TYPO3 CMS versions 14.0.0 through 14.3.3
Description
Backend users with write access to the
form definition database table can directly create, update, or delete form definition records using the DataHandler. This process bypasses the Form Framework's persistence validation and permission checks, enabling the injection of arbitrary form configurations. This can lead to SQL injection and privilege escalation.Recommendations
Update TYPO3 CMS to a version later than 14.3.3.
Fix
Missing Authorization
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Typo3/Cms