PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49741 TYPO3 CVE debrief

CVE-2026-49741 is a high-severity vulnerability in TYPO3 CMS versions 14.0.0-14.3.3. Backend users with write access to the form_definition database table could directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations and re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation.

Vendor
TYPO3
Product
TYPO3 CMS
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of TYPO3 CMS versions 14.0.0-14.3.3, especially those with backend users who have write access to the form_definition database table.

Technical summary

The vulnerability has a CVSS score of 8.7 and is classified as HIGH. It affects TYPO3 CMS versions 14.0.0-14.3.3 and is related to CWE-89 and CWE-862.

Defensive priority

High

Recommended defensive actions

  • Update TYPO3 CMS to a version outside of the affected range (14.0.0-14.3.3).
  • Restrict write access to the form_definition database table to trusted backend users.
  • Monitor for suspicious activity related to form configurations and DataHandler usage.

Evidence notes

The CVE record and details can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49741). The NVD detail page is available at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49741). Additional information can be found in the TYPO3 security advisories [typo3-core-sa-2018-003](https://typo3.org/security/advisory/typo3-core-sa-2018-003) and [typo3-core-sa-2026-017](https://typo3.org/security/advisory/typo3-core-sa-2026-017).

Official resources

CVE-2026-49741 was published on 2026-06-09T11:16:53.520Z and modified on 2026-06-09T13:46:50.540Z.