Security Vulnerability in TYPO3 CMS Affects Backend User Permissions
CVE-2026-49741

8.7HIGH

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-49741?

A critical security issue exists in TYPO3 CMS that allows backend users with write access to manipulate form definition records directly through DataHandler. This bypasses the Form Framework's essential persistence validation and permission checks, enabling the injection of arbitrary form configurations. This raises the risk of SQL injection and privilege escalation attacks, jeopardizing the integrity and security of the system. This issue affects multiple versions, highlighting the need for immediate updates and patching to mitigate potential exploitation.

Affected Version(s)

TYPO3 CMS 14.0.0 < 14.3.3

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Selçuk Güney
Oliver Hader
.