The vulnerability is a classic SQL injection in the TYPO3 News system extension. Untrusted data from a URL parameter is concatenated directly into a database query when the Date Menu of news articles plugin is active. An attacker can inject arbitrary SQL commands, which can read sensitive data, modify records, or delete data, potentially leading to full database compromise. The weakness corresponds to CWE‑89 and could be leveraged by anyone who can access the vulnerable URL, without authentication.

Affected systems are installations of the TYPO3 News system extension, particularly when the Date Menu of news articles plugin is enabled. The vulnerability applies to any version of the extension where the TypoScript/Plugin setting disableOverrideDemand is not enabled. The extension is distributed by the TYPO3 community, and all users of the news extension with the plugin in use are impacted.

The reported CVSS score of 8.2 indicates a high severity, with an availability of the provisioned attack path alone. The EPSS score is not available, but the lack of a KEV listing does not reduce the actual risk. An unauthenticated attacker can trigger the flaw by crafting a URL with a malicious parameter, and the environment requirement of the specific plugin makes detection difficult. Given the high impact score and the ease of exploitation, the risk to affected systems is considerable, especially if no mitigation measures such as disabling the plugin or enabling strict TypoScript settings are applied.