CVE-2026-6553
HIGHTYPO3 CMS Stores Cleartext Password in User Settings Module
Title source: cnaDescription
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://typo3.org/security/advisory/typo3-core-sa-2026-005
Patch patch
Git commit of main branch
https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291
Scores
CVSS v3
7.5
EPSS
0.0017
EPSS Percentile
6.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-312
Status
published
Products (3)
typo3/cms-backend
14.2.0 - 14.3.0Packagist
typo3/typo3
14.2.0
TYPO3/TYPO3 CMS
14.2.0 - 14.3.0
Published
Apr 21, 2026
Tracked Since
Apr 21, 2026