Home

Description

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

14.0.0 (semver) before 14.3.3
affected

Credits

Selçuk Güney reporter

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-017 vendor-advisory

typo3.org/security/advisory/typo3-core-sa-2018-003 related

github.com/...ommit/c90493c13b633f328cf2c066182c90a1655ff0fc (Git commit of main branch) patch

cve.org (CVE-2026-49741)

nvd.nist.gov (CVE-2026-49741)

Download JSON