CVE-2026-49741

UNKNOWN 0.0

TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

8th

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

CWE	CWE-862 CWE-89
Vendor	typo3
Product	typo3 cms
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS

14.0.0 < 14.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-017 typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2018-003 github.com: https://github.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc

Credits

🔍 Selçuk Güney Oliver Hader