SQL Injection Vulnerability in TYPO3 Extension by TYPO3
CVE-2026-8827

8.2HIGH

Key Information:

Vendor: Typo3
Status: Extension "address List"
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8827?

The AddressRepository::getSqlQuery() method in TYPO3 extensions is susceptible to SQL Injection due to inadequate sanitization of user inputs. While the method is not invoked within the default installation, it poses a potential risk when utilized by custom extensions that improperly handle user input. This vulnerability underscores the need for vigilance in coding practices, especially when integrating external or untrusted data sources.

Affected Version(s)

Extension "Address List" 10.0.0 < 10.0.1

Extension "Address List" 9.0.0 < 9.1.1

Extension "Address List" 0 < 8.1.2

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-012

vendor-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 18, 2026

Credit

Georg Ringer

CVE-2026-8827 Data

JSON

Typo3

What is CVE-2026-8827?

Affected Version(s)

References

CVSS V4

Timeline

Credit