CVE-2026-47346

Description

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3

Problem types

CWE-178 Improper Handling of Case Sensitivity

CWE-862 Missing Authorization

Product status

Credits

Alexander Künzl reporter

Oliver Hader remediation developer

Benjamin Franzke remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-008 vendor-advisory

github.com/...ommit/2030617e6f273cee7b756c695f0a48a45a31eb47 (Git commit of main branch) patch

github.com/...ommit/eb2b2251d90339d3ab55df3d4c0378ae0c780b45 (Git commit of 13.4 branch) patch

cve.org (CVE-2026-47346)

nvd.nist.gov (CVE-2026-47346)

Download JSON