SQL Injection in extension “News system” (news)_CVE-2026-8726

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

Basic Information

ID CVE-2026-8726

Source TYPO3

Published May 19, 2026 at 09:22

Affected Product

Vendor TYPO3

Product Extension "News system"

Version 14.0.0

Affected Versions TYPO3 Extension "News system" 14.0.0
TYPO3 Extension "News system" 13.0.0
TYPO3 Extension "News system" 12.0.0
TYPO3 Extension "News system" 0

CWE Classification

CWE-89

References

typo3.org /security/advisory/typo3-ext-sa-2026-010

{
    "lastseen": "",
    "description": "The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the \"Date Menu of news articles\" plugin. Exploitation requires the \"Date Menu of news articles\" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.",
    "published": "2026-05-19T09:22:09.037Z",
    "modified": "2026-05-19T09:22:09.037Z",
    "type": "cve",
    "title": "SQL Injection in extension \"News system\" (news)",
    "source": "TYPO3",
    "references": "https://typo3.org/security/advisory/typo3-ext-sa-2026-010",
    "id": "CVE-2026-8726",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "TYPO3 Extension \"News system\" 14.0.0\nTYPO3 Extension \"News system\" 13.0.0\nTYPO3 Extension \"News system\" 12.0.0\nTYPO3 Extension \"News system\" 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Extension \"News system\"",
    "version": "14.0.0",
    "vendor": "TYPO3",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}