PatchSiren cyber security CVE debrief
CVE-2026-47346 TYPO3 CVE debrief
CVE-2026-47346 is a high-severity vulnerability in TYPO3 CMS that allows backend users with file write permissions to upload malicious form definition files, potentially leading to arbitrary SQL statement execution and privilege escalation. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. The vulnerability has a CVSS score of 7.6 and is considered HIGH severity. The CVE was published on [cvePublishedAt]2026-06-09T11:16:52.320Z and modified on [cveModifiedAt]2026-06-09T13:46:50.540Z.
- Vendor
- TYPO3
- Product
- TYPO3 CMS
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of TYPO3 CMS, especially those with backend user accounts having file write permissions, should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability allows backend users with file write permissions to upload form definition files with mixed-case extensions, bypassing the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, potentially leading to privilege escalation by creating administrative backend user accounts.
Defensive priority
High
Recommended defensive actions
- Update TYPO3 CMS to versions 10.4.57, 11.5.50, 12.4.45, 13.4.30, or 14.3.2, or later.
- Restrict file write permissions for backend users.
- Monitor and audit backend user activities.
Evidence notes
The CVE record [resourceLinkAnnotations:cve-org] and NVD detail [resourceLinkAnnotations:nvd] provide official information about the vulnerability. Additional references can be found at [resourceLinkAnnotations:ref-4], [resourceLinkAnnotations:ref-5], and [resourceLinkAnnotations:ref-6].
Official resources
-
CVE-2026-47346 CVE record
CVE.org
-
CVE-2026-47346 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
CVE-2026-47346 was published on 2026-06-09T11:16:52.320Z and modified on 2026-06-09T13:46:50.540Z.