Home

Description

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TYPO3




HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

14.0.0 (semver) before 14.0.3
affected

13.0.0 (semver) before 13.0.2
affected

12.0.0 (semver) before 12.3.2
affected

Any version before 11.4.4
affected

Credits

Christian Kuhn reporter

Georg Ringer remediation developer

References

typo3.org/security/advisory/typo3-ext-sa-2026-010 vendor-advisory

cve.org (CVE-2026-8726)

nvd.nist.gov (CVE-2026-8726)

Download JSON