HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47346Published Modified CNA TYPO3

CVE-2026-47346: TYPO3 CMS - Broken Access Control in Form Framework

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Metrics

CVSS v4.0
7.6
Severity
HIGH
Fixed in
10.4.57
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken access control in TYPO3 CMS allows authenticated backend users to bypass file upload restrictions in the Form Framework by uploading form definition files with mixed-case extensions (e.g., .FORM.YAML). The vulnerability is reachable over the network and requires only a low-privilege backend account with file write permissions, with no victim interaction needed. Successful exploitation lets an attacker execute arbitrary SQL statements against the database, enabling full privilege escalation by creating new administrative backend accounts. Patched-image rebuilds at versions 10.4.57, 11.5.51, 12.4.46, 13.4.31, and 14.3.3 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-47346 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle TYPO3 CMS. Coverage extends to all affected version ranges across the 10.x, 11.x, 12.x, 13.x, and 14.x release lines.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 7.6 (HIGH) and weighting it against each customer environment's compliance policy to reflect organizational risk tolerance. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fix version (10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3, depending on the installed branch) becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the TYPO3 backend over the network; the vulnerable upload endpoint is exposed via standard HTTP/HTTPS.

  • AuthenticationRequired

    A low-privilege backend account with file write permissions is sufficient; no administrative role is needed to initiate the attack.

  • Victim interactionNot required

    No victim interaction is needed; the attacker uploads the malicious file and triggers execution entirely on their own.

  • Attack complexityDetail

    Base exploit logic is condition-free and reliable, though the CVSS v4.0 vector notes an attack requirement of partial (AT:P), meaning the attacker must have the file write permission already granted to their account.

Blast Radius

  • Attacker executes arbitrary SQL statements against the TYPO3 database backend.
  • Attacker creates new administrative backend user accounts, achieving full privilege escalation.
  • Attacker gains read and write access to all data stored in the TYPO3 database, including user credentials, content records, and configuration.
  • Availability of the service is not directly impacted by this vulnerability based on the CVSS impact tokens.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47346 activates within minutes of ingestion, matching against all customer images that include TYPO3 CMS across any affected version range. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the appropriate patched branch version, a regression test run against that image, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS v4.0 severity context and patch version guidance so teams can act manually. Until a rebuild is deployed, consider restricting file write permissions to the minimum necessary set of backend users and applying web application firewall rules to flag or block uploads with mixed-case file extensions in the Form Framework upload path.

See how HarborGuard automates this

Fix available

10.4.5711.5.5112.4.4613.4.3114.3.3
Patch commits
Affected packages
  • TYPO3 / TYPO3 CMS
    < 10.4.57 (from 0) · < 11.5.51 (from 11.0.0) · < 12.4.46 (from 12.0.0) · < 13.4.31 (from 13.0.0) · < 14.3.3 (from 14.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References