CVE-2026-47346
Received Received - Intake
SQL Injection via Malicious Form Definition in TYPO3 CMS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: TYPO3

Description
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-47346
EUVD
EUVD-2026-35393
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms to 10.4.57 (exc)
typo3 typo3_cms From 11.0.0 (inc) to 11.5.51 (exc)
typo3 typo3_cms From 12.0.0 (inc) to 12.4.46 (exc)
typo3 typo3_cms From 13.0.0 (inc) to 13.4.31 (exc)
typo3 typo3_cms From 14.0.0 (inc) to 14.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the TYPO3 CMS Form Framework where backend users with file write permissions can upload form definition files using mixed-case file extensions (such as .FORM.YAML) to bypass upload restrictions.

Because the system did not properly check file extensions in a case-insensitive manner, attackers could upload maliciously crafted form definition files that execute arbitrary SQL statements.

This allows attackers to escalate privileges by creating administrative backend user accounts, compromising the system's security.

Impact Analysis

The vulnerability can lead to privilege escalation within TYPO3 CMS by allowing attackers to execute arbitrary SQL commands.

Specifically, attackers can create administrative backend user accounts, gaining full control over the CMS backend.

This can result in unauthorized access, modification, or deletion of content and configuration, potentially compromising the entire website or application.

Detection Guidance

This vulnerability involves backend users uploading form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass upload restrictions. Detection involves identifying such suspicious files on your TYPO3 CMS installation.

You can scan your TYPO3 file storage or upload directories for files with mixed-case or unusual extensions related to form definitions, such as variations of .form.yaml with uppercase letters.

  • Use a command to find files with mixed-case .form.yaml extensions, for example on a Linux system:
  • find /path/to/typo3/uploads -type f -iname '*.form.yaml'
  • Check backend user permissions to identify users with file write access who might upload such files.
  • Review TYPO3 logs for unusual file upload activities or attempts to upload files with mixed-case extensions.
Mitigation Strategies

The primary mitigation step is to update your TYPO3 CMS installation to a patched version that fixes this vulnerability.

  • Upgrade to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS or later.
  • Restrict backend user permissions to limit file write access only to trusted users.
  • Follow TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list for security updates.

These steps will prevent attackers from uploading malicious form definition files with mixed-case extensions and executing arbitrary SQL statements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart