Description
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Published: 2026-06-09
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TYPO3 CMS allows backend users with file write permissions to upload form definition files. The system enforces extensions in a case‑sensitive way, so files with mixed‑case extensions such as .FORM.YAML bypass the restriction. An attacker may then craft a malicious form definition that contains arbitrary SQL. Executing this SQL lets the attacker create accounts with administrative privileges. The flaw involves improper access control (CWE‑862) and incorrect handling of case‑sensitive file names (CWE‑178), resulting in a privilege‑escalation vulnerability.

Affected Systems

Affected systems include TYPO3 CMS versions prior to 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

Risk and Exploitability

The CVSS score indicates High severity at 7.6, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires an authenticated backend user with file write permissions, who uploads a mixed‑case form definition to the web interface. The attacker can then execute crafted SQL to create administrative backend accounts, thereby gaining full control of the CMS instance.

Generated by OpenCVE AI on June 9, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 CMS to a patched release: 10.4.57 or later, 11.5.50 or later, 12.4.45 or later, 13.4.30 or later, or 14.3.2 or later.
  • Ensure that file upload validation rejects mixed‑case extensions or performs case‑insensitive checks for allowed file types.
  • Revoke file write permissions from backend users who do not require them, limiting their ability to upload form definitions.
  • As a temporary measure, disable the form framework or block uploading of form definition files until the patch can be applied.

Generated by OpenCVE AI on June 9, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Title TYPO3 CMS - Broken Access Control in Form Framework
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-178
CWE-862
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T12:52:49.295Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47346

cve-icon Vulnrichment

Updated: 2026-06-09T12:52:43.962Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:52.320

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses