The AddressRepository::getSqlQuery() method in the TYPO3 "Address List" extension constructs a database query without sanitizing user input, creating a classic SQL Injection flaw (CWE-89). When called with untrusted data, the flaw could let an attacker manipulate queries, potentially accessing, modifying, or deleting sensitive data, and in some cases trigger arbitrary code execution depending on database privileges. The vulnerability is not exercised internally by the extension in a default configuration, but any custom or extended code that calls this method directly is at risk.

All installations of the TYPO3 "Address List" extension (tt_address) are potentially affected, as the issue exists in the extension code regardless of the version; specific version details are not provided. The risk materializes only if custom extensions or site code invoke AddressRepository::getSqlQuery() with user-controlled input. Default deployments that do not use the method remain unfazed.

The CVSS score of 8.2 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no public exploitation yet. The likely attack vector is through custom code that calls the vulnerable method; an attacker would need to inject crafted input into that call. Because the flaw allows arbitrary query manipulation, exploitation is serious but depends on the developer’s usage pattern. The absence of internal activation means the immediate threat is lower for vanilla installations, yet the high severity and lack of automatic mitigation warrant swift action.