CVE-2026-8827

UNKNOWN 0.0

SQL Injection in extension "Address List" (tt_address)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

9th

The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.

CWE	CWE-89
Vendor	typo3
Product	extension "address list"
Published	May 19, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 extension "address list"

Be the first to know when new unknown vulnerabilities affecting typo3 extension "address list" are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / Extension "Address List"

10.0.0 < 10.0.1 9.0.0 < 9.1.1 0 < 8.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-ext-sa-2026-012

Credits

🔍 Georg Ringer Georg Ringer