CVE-2026-6553 | THREATINT

Description

Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.

PUBLISHED Reserved 2026-04-17 | Published 2026-04-21 | Updated 2026-04-21 | Assigner TYPO3

HIGH: 7.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-312 Cleartext storage of sensitive information

Product status

Default status

unaffected

14.2.0 (semver) before 14.3.0

affected

Credits

Martin Clewing reporter

Garvin Hicking remediation developer

Stefan Bürk remediation developer

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-005 vendor-advisory

github.com/...ommit/9a6e913f70767f63b322ae3e2d2f4e302624c291 (Git commit of main branch) patch

cve.org (CVE-2026-6553)

nvd.nist.gov (CVE-2026-6553)

Download JSON