CVE Catalog

CVE-2026-47346

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts.

Risk Assessment

The organization is exposed to serious risks related to unauthorized access to the system and the potential for privilege escalation, which could lead to data loss and compromise of system integrity.

Recommendation

It is recommended to update TYPO3 CMS to the latest version to mitigate this vulnerability and review backend user permissions to restrict file upload capabilities.

Original NVD description (English source)

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS