CVE-2026-8726

Deferred Deferred - Pending Action

SQL Injection in Date Menu News Articles Extension

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: TYPO3

Description

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-19

Last Modified

2026-05-19

Generated

2026-06-10

AI Q&A

2026-05-19

EPSS Evaluated

2026-06-08

NVD

CVE-2026-8726

EUVD

EUVD-2026-30861

Affected Vendors & Products

Vendor	Product	Version / Range
typo3	date_menu_of_news_articles	From 11.4.3 (inc) to 14.0.3 (exc)
typo3	news	From 11.4.3 (inc) to 14.0.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability is a high-severity SQL injection flaw in the TYPO3 "News system" extension, specifically affecting the "Date Menu of news articles" plugin. It occurs because the extension fails to properly sanitize user input before using it in a database query.

An unauthenticated attacker can exploit this by injecting arbitrary SQL code through a URL parameter on pages that use this plugin, provided the plugin is active and the TypoScript setting disableOverrideDemand is not enabled.

Impact Analysis

The impact of this vulnerability is significant because it allows an unauthenticated attacker to execute arbitrary SQL commands on the database. This can lead to unauthorized data access, data modification, or even complete compromise of the affected system's database.

Such an attack can result in data breaches, loss of data integrity, and potential disruption of services that rely on the database.

Detection Guidance

This vulnerability involves SQL injection via a URL parameter on pages using the "Date Menu of news articles" plugin in TYPO3. Detection involves monitoring web requests for suspicious or malformed URL parameters targeting this plugin.

You can detect potential exploitation attempts by analyzing web server logs for unusual URL parameters or SQL syntax patterns in requests related to the affected plugin.

Specific commands are not provided in the available resources, but common approaches include using tools like grep or log analysis utilities to search for suspicious URL parameters containing SQL keywords such as 'SELECT', 'UNION', or SQL comment characters.

Mitigation Strategies

The immediate mitigation step is to update the affected TYPO3 "News system" extension to a fixed version. Versions 14.0.3, 13.0.2, 12.3.2, and 11.4.4 or later contain the fix for this vulnerability.

Updating can be done through the TYPO3 extension manager, Packagist, or the official TYPO3 extensions repository.

Additionally, enabling the TypoScript/Plugin setting `disableOverrideDemand` can help prevent exploitation if updating immediately is not possible.

Following general security best practices and subscribing to the typo3-announce mailing list for updates is also recommended.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL injection via a URL parameter, potentially leading to unauthorized access or manipulation of database information.

Such unauthorized access or data manipulation can compromise the confidentiality and integrity of personal or sensitive data, which may result in non-compliance with data protection regulations like GDPR or HIPAA.

Organizations using the affected TYPO3 extensions should promptly apply the security updates to mitigate risks and maintain compliance with these standards.

Hi! I’m here to help you understand CVE-2026-8726. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-8726

SQL Injection in Date Menu News Articles Extension

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart