CVE-2026-49741 | Backend users with write access to the form_definition datab… | CVSS 8.7 HIGH

Description

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

Metadata

CVE ID: CVE-2026-49741
State: PUBLISHED
Assigner: TYPO3
Reserved: 2026-06-01 10:52 UTC
Published: 2026-06-09 10:54 UTC
Last updated: 2026-06-11 13:27 UTC
Primary CWE: CWE-862
CWE-862 Missing Authorization
Vendor / Product: TYPO3 / TYPO3 CMS
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
TYPO3	TYPO3 CMS	—	14.0.0 < 14.3.3

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	CWE-862 Missing Authorization
CWE-89	cna	CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References (3)