TYPO3 CMS – Broken Access Control in Form Framework

7.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Basic Information

ID CVE-2026-47346

Source TYPO3

Published Jun 9, 2026 at 10:50

Affected Product

Vendor TYPO3

Product TYPO3 CMS

Affected Versions TYPO3 TYPO3 CMS 0
TYPO3 TYPO3 CMS 11.0.0
TYPO3 TYPO3 CMS 12.0.0
TYPO3 TYPO3 CMS 13.0.0
TYPO3 TYPO3 CMS 14.0.0

CWE Classification

CWE-178 CWE-862

References

{
    "lastseen": "",
    "description": "Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.",
    "published": "2026-06-09T10:50:21.934Z",
    "modified": "2026-06-09T10:50:21.934Z",
    "type": "cve",
    "title": "TYPO3 CMS - Broken Access Control in Form Framework",
    "source": "TYPO3",
    "references": "https://typo3.org/security/advisory/typo3-core-sa-2026-008\nhttps://github.com/TYPO3/typo3/commit/2030617e6f273cee7b756c695f0a48a45a31eb47\nhttps://github.com/TYPO3/typo3/commit/eb2b2251d90339d3ab55df3d4c0378ae0c780b45",
    "id": "CVE-2026-47346",
    "bulletinFamily": "",
    "cwe": [
        "CWE-178",
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "TYPO3 TYPO3 CMS 0\nTYPO3 TYPO3 CMS 11.0.0\nTYPO3 TYPO3 CMS 12.0.0\nTYPO3 TYPO3 CMS 13.0.0\nTYPO3 TYPO3 CMS 14.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "TYPO3 CMS",
    "version": "0",
    "vendor": "TYPO3",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

TYPO3 CMS – Broken Access Control in Form Framework_CVE-2026-47346