CVE-2026-8726
SQL Injection in Date Menu News Articles Extension
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: TYPO3
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typo3 | date_menu_of_news_articles | From 11.4.3 (inc) to 14.0.3 (exc) |
| typo3 | news | From 11.4.3 (inc) to 14.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a high-severity SQL injection flaw in the TYPO3 "News system" extension, specifically affecting the "Date Menu of news articles" plugin. It occurs because the extension fails to properly sanitize user input before using it in a database query.
An unauthenticated attacker can exploit this by injecting arbitrary SQL code through a URL parameter on pages that use this plugin, provided the plugin is active and the TypoScript setting disableOverrideDemand is not enabled.
How can this vulnerability impact me? :
The impact of this vulnerability is significant because it allows an unauthenticated attacker to execute arbitrary SQL commands on the database. This can lead to unauthorized data access, data modification, or even complete compromise of the affected system's database.
Such an attack can result in data breaches, loss of data integrity, and potential disruption of services that rely on the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection via a URL parameter on pages using the "Date Menu of news articles" plugin in TYPO3. Detection involves monitoring web requests for suspicious or malformed URL parameters targeting this plugin.
You can detect potential exploitation attempts by analyzing web server logs for unusual URL parameters or SQL syntax patterns in requests related to the affected plugin.
Specific commands are not provided in the available resources, but common approaches include using tools like grep or log analysis utilities to search for suspicious URL parameters containing SQL keywords such as 'SELECT', 'UNION', or SQL comment characters.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the affected TYPO3 "News system" extension to a fixed version. Versions 14.0.3, 13.0.2, 12.3.2, and 11.4.4 or later contain the fix for this vulnerability.
Updating can be done through the TYPO3 extension manager, Packagist, or the official TYPO3 extensions repository.
Additionally, enabling the TypoScript/Plugin setting `disableOverrideDemand` can help prevent exploitation if updating immediately is not possible.
Following general security best practices and subscribing to the typo3-announce mailing list for updates is also recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform SQL injection via a URL parameter, potentially leading to unauthorized access or manipulation of database information.
Such unauthorized access or data manipulation can compromise the confidentiality and integrity of personal or sensitive data, which may result in non-compliance with data protection regulations like GDPR or HIPAA.
Organizations using the affected TYPO3 extensions should promptly apply the security updates to mitigate risks and maintain compliance with these standards.