The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8827.json",
"cna_assigner": "TYPO3",
"cwe_ids": [
"CWE-89"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.1"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.1.1"
},
{
"introduced": "0"
},
{
"fixed": "8.1.2"
}
]
}