CVE-2026-47346 HIGH

CVE-2026-47346: TYPO3 CMS - Broken Access Control in Form Framework

Vendor Typo3

Product TYPO3 CMS

Weakness CWE-178

Published June 9, 2026

Last update June 11, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Key dates

Disclosure timeline

June 9, 2026 CVE published

June 11, 2026 Record updated

Identifiers

CVE CVE-2026-47346

CWE CWE-178

CVSS 7.6 / HIGH

Affected versions

Vendor Typo3

Product TYPO3 CMS

Affected < 10.4.57

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 11.0.0 and < 11.5.51

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 12.0.0 and < 12.4.46

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 13.0.0 and < 13.4.31

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 14.0.0 and < 14.3.3