CVE-2026-49741

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 09, 2026

Vendor unknown

Description

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

References

https://github.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc
https://typo3.org/security/advisory/typo3-core-sa-2018-003
https://typo3.org/security/advisory/typo3-core-sa-2026-017