CVE-2026-49741

Sažetak

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

Reference

https://github.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc
https://typo3.org/security/advisory/typo3-core-sa-2018-003
https://typo3.org/security/advisory/typo3-core-sa-2026-017

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

09-06-2026 - 13:46

Objavljeno

09-06-2026 - 11:16