CVE-2026-8827 TYPO3 CVE debrief

Who should care

TYPO3 administrators running custom extensions; developers maintaining TYPO3 extensions that interact with address repositories; security teams monitoring for SQL injection risks in CMS environments

Technical summary

The AddressRepository::getSqlQuery() method in a TYPO3 extension fails to sanitize user input when constructing SQL queries, creating a SQL injection vulnerability (CWE-89). The method is not internally invoked by the extension, so default installations are not directly affected. However, the method's exposure as a public API surface allows custom extensions to invoke it with untrusted input, resulting in potential unauthorized data access. The CVSS 4.0 score of 8.2 reflects network attack vector, low attack complexity, partial attack requirements, no privileges required, no user interaction, and high confidentiality impact to the vulnerable component.

Defensive priority

HIGH

Recommended defensive actions

• Audit custom TYPO3 extensions for calls to AddressRepository::getSqlQuery() and ensure all input is properly parameterized or sanitized
• Apply security updates from TYPO3 when available per advisory EXT-SA-2026-012
• Review database query construction patterns in custom extensions to eliminate string concatenation with user input
• Enable database query logging to detect anomalous query patterns that may indicate exploitation attempts
• Consider web application firewall rules to detect SQL injection payloads in requests targeting custom extension endpoints

Evidence notes

CVE published 2026-05-19T10:16:25.887Z; modified 2026-05-19T14:47:13.200Z. NVD status: Deferred. Official advisory reference: TYPO3 EXT-SA-2026-012. CVSS 4.0 vector: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. CWE-89 (SQL Injection) identified.

Official resources