TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework (CVE-2026-47346)

TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework Vulnerability Overview Component Type: TYPO3 CMS Sub-component: Form Framework (ext:form) Publication Date: June 9, 2026 Vulnerability Type: Broken Access Control Severity: High CVSS Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N References: - CVE-2026-47346 - CWE-178 - CWE-862 Affected Versions Affected Versions: - 10.0.0-10.4.56 - 11.0.0-11.5.50 - 12.0.0-12.4.45 - 13.0.0-13.4.30 - 14.0.0-14.3.2 Description Backend users with file write permissions can upload form definition files with mixed-case extensions (e.g., ), thereby bypassing the upload restrictions enforced by the Form Framework. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrator backend user accounts. Remediation Upgrade to TYPO3 versions that have resolved the aforementioned issues: 10.4.57 ELTS 11.5.51 ELTS 12.4.46 ELTS 13.4.31 LTS 14.3.3 LTS General Recommendations Follow the advice outlined in the TYPO3 Security Guide and subscribe to the typo3-announce mailing list. General Notes All code changes related to security have been marked, enabling you to locate them easily in our review system. Author Information Oliver Hader - TYPO3 GmbH, Hof, Germany - Core Developer - Has been using TYPO3 since 2005 and became a member of the TYPO3 core team in 2007. - After completing a graduate master's degree in Internet Network Science in 2014, he focused his research on advanced web technology topics. - In his spare time, he enjoys cycling through the mountainous regions of northern Bavaria around Hof, Germany.

Goal Reached Thanks to every supporter — we hit 100%!

TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework (CVE-2026-47346)