CVE Catalog

CVE-2026-11607

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile - higher than 11% of all known CVEs

Summary

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, leading to the processing of files with incorrect extensions. Maliciously crafted form definition files can be used to execute arbitrary SQL statements.

Risk Assessment

Attackers can exploit this vulnerability to escalate privileges by creating administrative backend user accounts. This poses a serious threat to the integrity and security of the system.

Recommendation

It is recommended to update TYPO3 CMS to version 10.4.57, 11.5.52 or newer to mitigate this vulnerability. An audit of existing user accounts should also be conducted to detect potential abuses.

Original NVD description (English source)

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS