CVE-2026-46721

UNKNOWN 0.0

Broken Access Control in extension "Frontend User Registration" (sf_register)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

CWE	CWE-915 CWE-639
Vendor	typo3
Product	extension "frontend user registration"
Published	May 19, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 extension "frontend user registration"

Be the first to know when new unknown vulnerabilities affecting typo3 extension "frontend user registration" are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / Extension "Frontend User Registration"

14.0.0 < 14.0.2 0 < 13.2.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-ext-sa-2026-009

Credits

🔍 Seungbin Yang Sebastian Fischer