Threat Advisory

TYPO3 CMS Vulnerabilities Lead to Privilege Escalation

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in TYPO3 CMS core and its Form and Filelist extensions, affecting versions 10.4.57 and later up to 14.3.2 (including the 14.0.0‑14.3.2 LTS series). The flaws comprise SQL injection and privilege‑escalation vectors in the Form Framework, broken access‑control weaknesses that permit unauthorized file uploads and execution of arbitrary SQL, and a path‑traversal issue in the Media module that can expose sensitive server files. Exploitation can allow attackers to create administrative accounts, read confidential logs, modify or delete data, and undermine the integrity and availability of the web application.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in TYPO3 CMS core and its Form and Filelist extensions, affecting versions 10.4.57 and later up to 14.3.2 (including the 14.0.0‑14.3.2 LTS series). The flaws comprise SQL injection and privilege‑escalation vectors in the Form Framework, broken access‑control weaknesses that permit unauthorized file uploads and execution of arbitrary SQL, and a path‑traversal issue in the Media module that can expose sensitive server files. Exploitation can allow attackers to create administrative accounts, read confidential logs, modify or delete data, and undermine the integrity and availability of the web application.[emaillocker id="1283"]

  • CVE-2026-49741 with a CVSS score of 7.5 – Backend users with write access to the form_definition table can bypass validation via DataHandler, inject arbitrary SQL and elevate privileges to create admin accounts.
  • CVE-2026-47346 with a CVSS score of 7.5 – Users with file write permission can upload form definition files using mixed‑case extensions, bypassing restrictions and executing arbitrary SQL to gain administrative rights.
  • CVE-2026-49742 with a CVSS score of 7.5 – Backend users with file download permission can retrieve files from the fallback storage through the Media module, exposing sensitive files such as logs via path traversal.
  • CVE-2026-11607 with a CVSS score of 7.5 – The Form Framework accepts files without the .form.yaml extension, allowing crafted definitions to run arbitrary SQL and create privileged backend accounts.
  • CVE-2026-47343 with a CVSS score of 7.5 – Non‑privileged backend users with file‑mount access can perform write operations on root folders, potentially disrupting content and enabling further attacks.

These high‑severity flaws collectively provide multiple avenues for attackers to compromise confidentiality, integrity, and availability of TYPO3 installations. Immediate attention is required because exploitation can lead to unauthorized administrative access, data leakage, and service disruption, jeopardizing trust and regulatory compliance.

RECOMMENDATION:

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-jh32-v29g-68pq
https://github.com/advisories/GHSA-hwvq-2w67-rvxp
https://github.com/advisories/GHSA-chm7-4vch-h8vr
https://github.com/advisories/GHSA-pjpj-v387-x4vq
https://github.com/advisories/GHSA-3v8v-4wg6-r7qh

[/emaillocker]
crossmenu