cbcvebase.
CVE-2026-47346
published 2026-06-09

CVE-2026-47346: Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form…

PriorityP354high7.6CVSS 4.0
AVNACLATPPRLUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.25%
16.5th percentile
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Affected

15 ranges
VendorProductVersion rangeFixed in
typo3cms-core>= 0 < 10.4.5710.4.57
typo3cms-core>= 11.0.0 < 11.5.5111.5.51
typo3cms-core>= 12.0.0 < 12.4.4612.4.46
typo3cms-core>= 13.0.0 < 13.4.3113.4.31
typo3cms-core>= 14.0.0 < 14.3.314.3.3
typo3cms-form>= 0 < 10.4.5710.4.57
typo3cms-form>= 11.0.0 < 11.5.5111.5.51
typo3cms-form>= 12.0.0 < 12.4.4612.4.46
typo3cms-form>= 13.0.0 < 13.4.3113.4.31
typo3cms-form>= 14.0.0 < 14.3.314.3.3
typo3typo3_cms< 10.4.5710.4.57
typo3typo3_cms>= 11.0.0 < 11.5.5111.5.51
typo3typo3_cms>= 12.0.0 < 12.4.4612.4.46
typo3typo3_cms>= 13.0.0 < 13.4.3113.4.31
typo3typo3_cms>= 14.0.0 < 14.3.314.3.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.