{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-49741: TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-49741","status":"final","version":"1","initial_release_date":"2026-06-09T10:54:19.332Z","current_release_date":"2026-06-11T13:27:25.564Z","revision_history":[{"date":"2026-06-09T10:54:19.332Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-49741 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-49741"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-49741"},{"category":"external","summary":"typo3.org","url":"https://typo3.org/security/advisory/typo3-core-sa-2026-017"},{"category":"external","summary":"typo3.org","url":"https://typo3.org/security/advisory/typo3-core-sa-2018-003"},{"category":"external","summary":"Git commit of main branch","url":"https://github.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc"}]},"product_tree":{"branches":[{"category":"vendor","name":"TYPO3","branches":[{"category":"product_name","name":"TYPO3 CMS","branches":[{"category":"product_version_range","name":">=14.0.0 <14.3.3","product":{"name":"TYPO3 TYPO3 CMS >=14.0.0 <14.3.3","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:typo3:typo3_cms:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-49741","title":"TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework","notes":[{"category":"description","text":"Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N","baseScore":8.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 14.3.3.","product_ids":["CSAFPID-1"],"url":"https://github.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc"}]}]}