CVE-2026-8726

UNKNOWN 0.0

SQL Injection in extension "News system" (news)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

CWE	CWE-89
Vendor	typo3
Product	extension "news system"
Published	May 19, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 extension "news system"

Be the first to know when new unknown vulnerabilities affecting typo3 extension "news system" are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / Extension "News system"

14.0.0 < 14.0.3 13.0.0 < 13.0.2 12.0.0 < 12.3.2 0 < 11.4.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-ext-sa-2026-010

Credits

🔍 Christian Kuhn Georg Ringer