Description
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Published: 2026-06-09
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Backend users granted access to TYPO3’s Form Framework could load form definition files with any extension. The system processed these files without checking for a .form.yaml suffix, allowing maliciously crafted definitions to execute arbitrary SQL statements. This exposure lets an attacker elevate privileges, including the creation of administrative backend user accounts. The vulnerability is a classic Missing Authorization flaw, classified as CWE‑862.

Affected Systems

TYPO3 CMS is affected in all releases prior to 10.4.57, 11.5.51, 12.4.46, 13.4.31 and 14.3.3. The issue arises for any installation where backend users have permission to use the Form Framework.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity vulnerability. The EPSS score is not available, so current exploitation probability is unknown, but the lack of an EPSS entry does not reduce the risk posed by the flaw. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated backend user with form framework permissions; an attacker with such access can perform the exploit by uploading or referencing a malicious file. Given the internal nature of the attack surface, organisations with untrusted backend users or lack of audit on form permissions should treat this risk as significant.

Generated by OpenCVE AI on June 9, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest TYPO3 release that includes the fix (v10.4.57 or newer, v11.5.51 or newer, v12.4.46 or newer, v13.4.31 or newer, or v14.3.3 or newer).
  • Restrict backend user access to the Form Framework, limiting the ability to load custom form definition files.
  • Reconfigure the Form Framework to enforce that only files ending in .form.yaml are accepted as form definitions, thereby removing the processing path for arbitrary files.

Generated by OpenCVE AI on June 9, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Title TYPO3 CMS - Broken Access Control in Form Framework
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-862
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T12:53:55.463Z

Reserved: 2026-06-08T15:41:55.470Z

Link: CVE-2026-11607

cve-icon Vulnrichment

Updated: 2026-06-09T12:53:52.129Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:47.027

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-11607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T13:00:05Z

Weaknesses