CVE-2026-6553 HIGH

CVE-2026-6553: TYPO3 CMS Stores Cleartext Password in User Settings Module

Vendor Typo3

Product TYPO3 CMS

Weakness CWE-312 · Cleartext storage

Published April 21, 2026

Last update April 21, 2026

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

Description

Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.

Key dates

Disclosure timeline

April 21, 2026 CVE published

April 21, 2026 Record updated