TYPO3 Form Framework Broken Access Control Advisory (CVE-2026-11607)

Vulnerability Overview Vulnerability Name: TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework Publication Date: June 9, 2026 Vulnerability Type: Broken Access Control Severity: High CVSS Score: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N References: CVE-2026-11607, CWE-862 Affected Versions Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Remediation Solution: Upgrade to a TYPO3 version that resolves this issue, including 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, and 14.3.3 LTS. Description Backend users are able to use files that do not end with as form definitions, and these files are not rejected during processing. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating admin backend user accounts. General Recommendations Follow the recommendations in the TYPO3 Security Guide. Subscribe to the typo3-announce mailing list. General Notes All security-related code changes have been tagged for easy finding in the Review System. Author Information Author: Oliver Hader Position: Core Developer at TYPO3 GmbH, Hof, Germany Bio: Oliver has been using TYPO3 since 2005 and became a member of the TYPO3 core team in 2007. After completing a graduate degree in Internet Network Science in 2014, he continued to research advanced web technology topics. In his spare time, he enjoys cycling. Footer Information Copyright: © 2026 TYPO3 Association. Legal: Legal Notice, Privacy Policy Social Media: LinkedIn, Instagram, Bluesky, Mastodon, Facebook, YouTube Language Selection Language: Language (Select Language) --- End of Summary

Goal Reached Thanks to every supporter — we hit 100%!

TYPO3 Form Framework Broken Access Control Advisory (CVE-2026-11607)