CVE-2026-47346
published 2026-06-09CVE-2026-47346: Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form…
PriorityP354high7.6CVSS 4.0
AVNACLATPPRLUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.25%
16.5th percentile
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 0 < 10.4.57 | 10.4.57 |
| typo3 | cms-core | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | cms-core | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | cms-core | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-core | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | cms-form | >= 0 < 10.4.57 | 10.4.57 |
| typo3 | cms-form | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | cms-form | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | cms-form | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-form | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | typo3_cms | < 10.4.57 | 10.4.57 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | typo3_cms | >= 14.0.0 < 14.3.3 | 14.3.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-09
Published