HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11607Published Modified CNA TYPO3

CVE-2026-11607: TYPO3 CMS - Broken Access Control in Form Framework

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Metrics

CVSS v4.0
7.6
Severity
HIGH
Fixed in
10.4.57
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken access control in the TYPO3 CMS Form Framework allows an authenticated backend user to supply a maliciously crafted file as a form definition, bypassing the expected .form.yaml extension check. The vulnerability is reachable over the network and requires only a low-privilege backend account. Successful exploitation lets an attacker execute arbitrary SQL statements against the TYPO3 database, enabling privilege escalation by creating new administrative backend user accounts. Patched-image rebuilds at versions 10.4.57, 11.5.51, 12.4.46, 13.4.31, and 14.3.3 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11607 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle TYPO3 CMS. Any image containing an affected TYPO3 version will be flagged in both registry scans and CI pipeline checks.

Available
Triage

Triage is available using the CVSS v4.0 score of 7.6 (HIGH), with per-environment compliance policy weighting applied to prioritize findings according to each customer organization's risk thresholds. Alerts are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild against the applicable fix version (10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3) becomes available in HarborGuard as soon as the upstream package is published. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the TYPO3 backend over the network to deliver the malicious form definition file.

  • AuthenticationRequired

    A low-privilege backend account with access to the Form Framework is sufficient; no administrative credentials are needed to begin the attack.

  • Victim interactionNot required

    No victim interaction is needed; the attacker acts entirely through their own authenticated session.

  • Attack complexityDetail

    Base exploit complexity is low, though the CVSS v4.0 vector notes an attack requirement (AT:P) meaning certain environmental or deployment conditions must align for the attack to succeed reliably.

Blast Radius

  • Reads and queries arbitrary database tables, including user credentials, session tokens, and site configuration data stored in the TYPO3 database.
  • Writes new administrative backend user accounts to the database, granting the attacker full TYPO3 backend access independent of the original compromised account.
  • Modifies or deletes existing database rows, enabling tampering with content, user roles, and site settings.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image containing a TYPO3 CMS version affected by CVE-2026-11607, covering registry-stored images and images built in CI pipelines. For environments with auto-remediation enabled, HarborGuard can rebuild the image at the appropriate patched release (10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3), run regression tests, and open a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes. Where compliance policy does not permit auto-remediation, findings are surfaced with CVSS v4.0 scoring and routed to the designated team inbox for manual action. Until a patched image is deployed, compensating controls such as restricting Form Framework access to the minimum necessary backend user roles and applying network-layer access controls to the TYPO3 backend endpoint are worth considering.

See how HarborGuard automates this

Fix available

10.4.5711.5.5112.4.4613.4.3114.3.3
Patch commits
Affected packages
  • TYPO3 / TYPO3 CMS
    < 10.4.57 (from 0) · < 11.5.51 (from 11.0.0) · < 12.4.46 (from 12.0.0) · < 13.4.31 (from 13.0.0) · < 14.3.3 (from 14.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References