CVE-2026-47346

216.73.216.226

· Published 09/06/2026 11:16 · Modified 09/06/2026 13:46

Labels: CVE-2026-47346 2026-06-09 CVE-2026-47346 CWE-178 f4fb688c-4412-4426-b4b8-421ecf27b14a

Essential information

Published: 09/06/2026 11:16
Modified: 09/06/2026 13:46
Author: —
Creator: —
CVSS: 7.6 HIGH (v3) 7.6 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: f4fb688c-4412-4426-b4b8-421ecf27b14a
NVD: View on NVD

Affected products (CPE)

Product	CPE
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:<10.4.57:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:11.0.0-11.5.50:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:12.0.0-12.4.45:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:13.0.0-13.4.30:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:14.0.0-14.3.2:::::::*`