GHSA-xvv6-p4wf-mvx7

Suggest an improvement
Source
https://github.com/advisories/GHSA-xvv6-p4wf-mvx7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xvv6-p4wf-mvx7/GHSA-xvv6-p4wf-mvx7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xvv6-p4wf-mvx7
Aliases
  • CVE-2026-6553
Published
2026-04-24T16:39:15Z
Modified
2026-05-08T15:33:52.427943Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
TYPO3 CMS Stores Cleartext Password in User Settings Module
Details

Problem

The backend user settings module (SetupModuleController) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the uc and user_settings fields of the be_users database table.

The cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version).

Solution

Update to TYPO3 version 14.3.0 LTS which fixes the problem described.

[!IMPORTANT] Manual actions required

Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the uc and user_settings fields of the be_users table. Additionally, affected backend user accounts should be assigned new passwords.

Admin Tools → Upgrade → Upgrade Wizard → User Settings Scrubbing

Credits

TYPO3 thanks Martin Clewing for reporting this issue, and TYPO3 core team members Oliver Hader, Stefan Bürk and Garvin Hicking for fixing it.

Database specific 
{
    "github_reviewed_at": "2026-04-24T16:39:15Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-04-21T10:16:31Z",
    "cwe_ids": [
        "CWE-312"
    ]
}
References

Affected packages

Packagist / typo3/cms-backend

Package

Name
typo3/cms-backend
Purl
pkg:composer/typo3/cms-backend

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.2.0
Fixed
14.3.0

Affected versions

14.*
14.2.0
v14.*
v14.2.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xvv6-p4wf-mvx7/GHSA-xvv6-p4wf-mvx7.json"