ByteOS Network

NVD Vulnerability Details :

CVE-2026-47346

Received

Source-f4fb688c-4412-4426-b4b8-421ecf27b14a

Published At-09 Jun, 2026 | 11:16

Updated At-09 Jun, 2026 | 11:16

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.6	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-178	Secondary	f4fb688c-4412-4426-b4b8-421ecf27b14a
CWE-862	Secondary	f4fb688c-4412-4426-b4b8-421ecf27b14a

CWE ID: CWE-178

Type: Secondary

Source: f4fb688c-4412-4426-b4b8-421ecf27b14a

CWE ID: CWE-862

Type: Secondary

Source: f4fb688c-4412-4426-b4b8-421ecf27b14a

References

Hyperlink	Source	Resource
https://github.com/TYPO3/typo3/commit/2030617e6f273cee7b756c695f0a48a45a31eb47	f4fb688c-4412-4426-b4b8-421ecf27b14a	N/A
https://github.com/TYPO3/typo3/commit/eb2b2251d90339d3ab55df3d4c0378ae0c780b45	f4fb688c-4412-4426-b4b8-421ecf27b14a	N/A
https://typo3.org/security/advisory/typo3-core-sa-2026-008	f4fb688c-4412-4426-b4b8-421ecf27b14a	N/A