CVE-2026-49741
HIGHTYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework
Title source: cnaDescription
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://typo3.org/security/advisory/typo3-core-sa-2026-017
Related related
https://typo3.org/security/advisory/typo3-core-sa-2018-003
Patch patch
Git commit of main branch
https://github.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc
Scores
CVSS v4
8.7
EPSS
0.0037
EPSS Percentile
28.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
CWE-89
Status
published
Products (3)
typo3/cms-core
14.0.0 - 14.3.3Packagist
typo3/cms-form
14.0.0 - 14.3.3Packagist
TYPO3/TYPO3 CMS
14.0.0 - 14.3.3
Published
Jun 09, 2026
Tracked Since
Jun 09, 2026