CVE-2026-11607
Received Received - Intake
SQL Injection in TYPO3 CMS Form Framework

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: TYPO3

Description
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11607
EUVD
EUVD-2026-35391
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
typo3 typo3_cms From 14.0.0 (inc) to 14.3.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in TYPO3 CMS where backend users with access to the Form Framework could upload and use files as form definitions even if those files did not have the required .form.yaml extension.

Because the system did not properly enforce the file extension check, maliciously crafted form definition files could be processed, allowing attackers to execute arbitrary SQL statements.

This SQL execution capability enables attackers to escalate their privileges by creating administrative backend user accounts, compromising the system's security.

Impact Analysis

If exploited, this vulnerability allows an attacker with backend access to escalate their privileges by executing arbitrary SQL commands.

Specifically, attackers can create administrative backend user accounts, gaining full control over the TYPO3 CMS installation.

This can lead to unauthorized access, data manipulation, and potentially full compromise of the affected system.

Detection Guidance

This vulnerability involves backend users uploading and using files with incorrect extensions (not ending in .form.yaml) as form definitions in TYPO3 CMS. Detection involves identifying such improperly named form definition files within the system.

You can detect potentially malicious files by searching the TYPO3 installation directories for form definition files that do not end with the required .form.yaml extension.

  • Use a command like: find /path/to/typo3/ -type f ! -name '*.form.yaml' -exec grep -l 'form definition' {} + to locate files that might be used as form definitions but have incorrect extensions.
  • Check backend user activity logs for uploads or modifications of files with suspicious extensions.

Since the vulnerability allows execution of arbitrary SQL via malicious form files, monitoring database logs for unusual administrative user creation or privilege escalations can also help detect exploitation.

Mitigation Strategies

The primary mitigation step is to update TYPO3 CMS to a patched version where this vulnerability is fixed.

  • Upgrade to TYPO3 CMS versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS or later.

These updates enforce strict validation of form definition files, ensuring only files ending with .form.yaml are accepted, preventing malicious files from being processed.

Additionally, follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for ongoing security updates and best practices.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart