CVE-2026-49741

Source
https://cve.org/CVERecord?id=CVE-2026-49741
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49741.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49741
Aliases
Published
2026-06-09T10:54:19.332Z
Modified
2026-07-17T03:41:50.370693846Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework
Details

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.2.

Database specific
{
    "cwe_ids": [
        "CWE-862",
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49741.json",
    "cna_assigner": "TYPO3"
}
References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.3.3"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v14.*
v14.0.0
v14.1.0
v14.2.0
v14.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49741.json"