Cleartext Password Storage Vulnerability in TYPO3 CMS
CVE-2026-6553

7.3HIGH

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-6553?

A security vulnerability has been identified in TYPO3 CMS where changing backend users' passwords through the user settings module leads to the storage of cleartext passwords in the uc and user_settings fields of the be_users database table. This flaw poses a significant risk as it compromises the integrity of user credentials, making them accessible in an unencrypted form. Affected users should promptly update to the latest version to mitigate this security concern.

Affected Version(s)

TYPO3 CMS 14.2.0 < 14.3.0

References

https://typo3.org/security/advisory/typo3-core-sa-2026-005

vendor-advisory

https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b32...

patch

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

Martin Clewing

Garvin Hicking

Stefan Bürk

Oliver Hader

CVE-2026-6553 Data

JSON