CVE-2026-11607 HIGH

CVE-2026-11607: TYPO3 CMS - Broken Access Control in Form Framework

Vendor Typo3

Product TYPO3 CMS

Weakness CWE-862 · Missing authorization

Published June 9, 2026

Last update June 11, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Key dates

Disclosure timeline

June 9, 2026 CVE published

June 11, 2026 Record updated

Identifiers

CVE CVE-2026-11607

CWE CWE-862

CVSS 7.6 / HIGH

Affected versions

Vendor Typo3

Product TYPO3 CMS

Affected < 10.4.57

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 11.0.0 and < 11.5.51

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 12.0.0 and < 12.4.46

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 13.0.0 and < 13.4.31

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 14.0.0 and < 14.3.3