SQL Injection Vulnerability in TYPO3 CMS by Vendor TYPO3
CVE-2026-11607

7.6HIGH

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-11607?

A vulnerability in TYPO3 CMS allows backend users to employ files with incorrect extensions as form definitions. This weakness can be exploited by attackers to execute arbitrary SQL commands, which may lead to unauthorized privilege escalation. Attackers can create new administrative accounts, significantly compromising the integrity of the TYPO3 CMS. This impacts a range of TYPO3 versions, underscoring the need for timely updates and enhanced security measures.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ethan
Oliver Hader
.