CVE-2026-8726 TYPO3 CVE debrief

Who should care

TYPO3 administrators, security teams managing content management systems, database administrators, and organizations utilizing news article functionality with date-based navigation.

Technical summary

The vulnerable extension fails to sanitize user-controlled input before incorporating it into database queries within the 'Date Menu of news articles' plugin. Attackers can manipulate URL parameters to inject arbitrary SQL statements. The attack surface is exposed when `disableOverrideDemand` is disabled (default or explicitly unset), allowing external input to override internal demand objects. This represents a classic second-order injection pattern where plugin configuration state determines exploitability.

Defensive priority

HIGH

Recommended defensive actions

• Verify whether the 'Date Menu of news articles' plugin is deployed in your TYPO3 environment
• Check TypoScript/Plugin configuration to confirm `disableOverrideDemand` is not enabled
• Apply patches or updates from the TYPO3 security advisory when available
• Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in URL parameters
• Review database query logs for anomalous activity targeting date menu endpoints
• Conduct code review of custom extensions implementing similar date-based filtering functionality

Evidence notes

Vulnerability description and CVSS vector sourced from NVD record. Advisory reference confirms TYPO3 extension context and exploitation conditions. Vendor identification marked low confidence due to 'Unknown Vendor' classification with TYPO3 as domain candidate.

Official resources