TYPO3 CMS - Broken Access Control in Form Framework
Summary
| CVE | CVE-2026-47346 |
|---|---|
| State | PUBLISHED |
| Assigner | TYPO3 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 11:16:52 UTC |
| Updated | 2026-06-09 13:46:50 UTC |
| Description | Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2. |
Risk And Classification
Primary CVSS: v4.0 7.6 HIGH from f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.004390000 probability, percentile 0.348260000 (date 2026-06-16)
Problem Types: CWE-178 | CWE-862 | CWE-178 CWE-178 Improper Handling of Case Sensitivity | CWE-862 CWE-862 Missing Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f4fb688c-4412-4426-b4b8-421ecf27b14a | Secondary | 7.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 7.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TYPO3 | TYPO3 CMS | affected 10.4.57 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 11.0.0 11.5.51 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 12.0.0 12.4.46 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 13.0.0 13.4.31 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 14.0.0 14.3.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| typo3.org/security/advisory/typo3-core-sa-2026-008 | f4fb688c-4412-4426-b4b8-421ecf27b14a | typo3.org | |
| github.com/TYPO3/typo3/commit/eb2b2251d90339d3ab55df3d4c0378ae0c780b45 | f4fb688c-4412-4426-b4b8-421ecf27b14a | github.com | |
| github.com/TYPO3/typo3/commit/2030617e6f273cee7b756c695f0a48a45a31eb47 | f4fb688c-4412-4426-b4b8-421ecf27b14a | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Alexander Künzl (en)
CNA: Oliver Hader (en)
CNA: Benjamin Franzke (en)
There are currently no legacy QID mappings associated with this CVE.