File Upload Vulnerability in TYPO3 CMS
CVE-2026-47346

7.6HIGH

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-47346?

A security vulnerability in TYPO3 CMS allows backend users with file write permissions to upload form definition files with mixed-case extensions, such as .FORM.YAML. This circumvents the Form Framework's upload restrictions, enabling the execution of arbitrary SQL statements. Attackers can exploit this flaw to escalate privileges, potentially creating unauthorized administrative backend user accounts. This issue affects numerous TYPO3 CMS versions, necessitating immediate attention and patching to safeguard the system.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alexander Künzl
Oliver Hader
Benjamin Franzke
.