CVE-2026-11607
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, leading to the processing of files with incorrect extensions. Maliciously crafted form definition files can be used to execute arbitrary SQL statements.
Risk Assessment
Attackers can exploit this vulnerability to escalate privileges by creating administrative backend user accounts. This poses a serious threat to the integrity and security of the system.
Recommendation
It is recommended to update TYPO3 CMS to version 10.4.57, 11.5.52 or newer to mitigate this vulnerability. An audit of existing user accounts should also be conducted to detect potential abuses.
Original NVD description (English source)
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

