SQL Injection Vulnerability in Date Menu of News Articles Plugin by TYPO3
CVE-2026-8726

8.2HIGH

Key Information:

Vendor: Typo3
Status: Extension "news System"
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8726?

The Date Menu of news articles plugin for TYPO3 is susceptible to an SQL injection vulnerability due to inadequate sanitization of user input in database queries. An unauthenticated attacker can potentially exploit this flaw by injecting arbitrary SQL through a URL parameter. Exploitation requires the presence of the plugin on the site and the 'disableOverrideDemand' setting in TypoScript/Plugin configuration to be disabled. Site administrators should review their configurations and take necessary actions to mitigate this vulnerability.

Affected Version(s)

Extension "News system" 14.0.0 < 14.0.3

Extension "News system" 13.0.0 < 13.0.2

Extension "News system" 12.0.0 < 12.3.2

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-010

vendor-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 16, 2026

Credit

Christian Kuhn

Georg Ringer

CVE-2026-8726 Data

JSON

Typo3

What is CVE-2026-8726?

Affected Version(s)

References

CVSS V4

Timeline

Credit