EXECUTIVE SUMMARY:
CVE-2026-6553 with a CVSS score of 7.5 is a Cleartext Password Storage vulnerability in the TYPO3 CMS backend user settings module. The vulnerability affects the composer/typo3/cms-backend package in versions = 14.2.0, allowing an attacker with access to the backend user settings module, specifically requiring low privileges or a malicious user with backend access, to exploit this issue. An attacker can exploit this vulnerability to gain cleartext access to backend user passwords, stored in the uc and user_settings fields of the be_users database table, by manipulating the user settings module, thereby allowing them to bypass password-based authentication controls. This vulnerability has significant business impact and consequences if exploited, potentially leading to unauthorized access to sensitive data and compromised backend user accounts. To exploit this vulnerability, an attacker must be able to manipulate the backend user settings module, typically requiring access to the affected TYPO3 CMS installation and valid backend credentials.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-6553 with a CVSS score of 7.5 is a Cleartext Password Storage vulnerability in the TYPO3 CMS backend user settings module. The vulnerability affects the composer/typo3/cms-backend package in versions = 14.2.0, allowing an attacker with access to the backend user settings module, specifically requiring low privileges or a malicious user with backend access, to exploit this issue. An attacker can exploit this vulnerability to gain cleartext access to backend user passwords, stored in the uc and user_settings fields of the be_users database table, by manipulating the user settings module, thereby allowing them to bypass password-based authentication controls. This vulnerability has significant business impact and consequences if exploited, potentially leading to unauthorized access to sensitive data and compromised backend user accounts. To exploit this vulnerability, an attacker must be able to manipulate the backend user settings module, typically requiring access to the affected TYPO3 CMS installation and valid backend credentials.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xvv6-p4wf-mvx7