Description
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows backend users with write access to the form_definition table to create, update or delete form records via DataHandler, bypassing the Form Framework validation and permission checks. This bypass enables injection of arbitrary form configurations, allowing attackers to exploit previously fixed SQL injection paths and gain higher privileges. The issue is rooted in missing authorization checks and inadequate input validation, as categorized by CWE-862 and CWE-89.

Affected Systems

TYPO3 CMS versions 14.0.0 through 14.3.3 are affected. All installations running these versions should verify whether backend users have write privileges to the form_definition database table, as the flaw only manifests when such permissions are granted.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the exploit is feasible for any backend user with write access, which is common in production environments that allow site editors or administrators. Because the flaw can enable both privilege escalation and SQL injection, an attacker can potentially compromise database integrity, gain read/write access, or execute arbitrary queries. No known public exploitation has been reported, and it is not listed in the CISA KEV catalog, but the EPSS score is not available, so the exact likelihood of exploitation remains uncertain. Nevertheless, the combination of high impact and the broad scope warrants prompt remediation.

Generated by OpenCVE AI on June 9, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TYPO3 CMS to version 14.3.4 or later, which includes the enforcement of validation and permission checks in the Form Framework.
  • Restrict backend user permissions so that no user has write access to the form_definition table unless explicitly required for a specific role.
  • Conduct a thorough audit of any custom form configurations or extensions that might still rely on legacy form handling logic, ensuring that all configurations are sanitized and validated.
  • As a temporary measure, disable or restrict the DataHandler functionality that allows direct manipulation of form_definition records until a patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.
Title TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-862
CWE-89
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:37:26.389Z

Reserved: 2026-06-01T10:52:50.597Z

Link: CVE-2026-49741

cve-icon Vulnrichment

Updated: 2026-06-09T13:37:22.372Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:53.520

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-49741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses