HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49741Published Modified CNA TYPO3

CVE-2026-49741: TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
14.3.3
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This vulnerability combines privilege escalation and SQL injection in TYPO3 CMS versions 14.0.0 through 14.3.2, affecting the Form Framework's persistence layer. An authenticated backend user with write access to the form_definition table can bypass the Form Framework's permission checks by sending crafted requests directly through DataHandler, re-enabling attack vectors previously addressed in 2018. Successful exploitation gives the attacker the ability to read and tamper with database contents and escalate their privileges within the CMS. A patched-image rebuild at version 14.3.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49741 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built TYPO3 images, in registries and CI pipelines.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 HIGH and weighting it against each environment's compliance policy to surface it at the correct severity tier; findings are routed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available
Patch

A patched-image rebuild at TYPO3 CMS 14.3.3 becomes available on HarborGuard the moment the fix version is confirmed against a customer's affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the TYPO3 backend over the network to send crafted DataHandler requests.

  • AuthenticationRequired

    A valid backend user account with write access to the form_definition table is needed; any low-privilege account meeting that table permission is sufficient.

  • Victim interactionNot required

    No victim action is needed; the attacker operates entirely through their own authenticated session.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or special environmental factors are required to bypass the Form Framework's validation.

Blast Radius

  • Reads arbitrary database rows, including stored session tokens, user credentials, and customer records, by injecting SQL through crafted form configurations.
  • Modifies persisted database records, including form definitions and user permission entries, enabling lasting changes to CMS data.
  • Escalates privileges within the TYPO3 backend by injecting configurations that re-enable access controls or roles beyond what the account was originally granted.
  • Causes limited disruption to the form-serving layer (low availability impact on the vulnerable component) as a side effect of malformed definition injection.

How HarborGuard Handles This

Available on HarborGuard: images running TYPO3 CMS 14.0.0 through 14.3.2 are matched against this CVE upon ingestion, which occurs within minutes of advisory publication. Where compliance policy permits, a rebuilt image pinned to 14.3.3 is made available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding in the triage queue with a direct reference to the 14.3.3 fix so teams can act manually. Until a patched image is deployed, consider restricting backend user grants on the form_definition table to accounts that strictly require it, and applying network-policy controls to limit which internal services can reach the TYPO3 DataHandler endpoint.

See how HarborGuard automates this

Fix available

14.3.3
Patch commits
Affected packages
  • TYPO3 / TYPO3 CMS
    < 14.3.3 (from 14.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References