CVE-2026-8726 PUBLISHED

SQL Injection in extension "News system" (news)

Assigner: TYPO3
Reserved: 16.05.2026 Published: 19.05.2026 Updated: 19.05.2026

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	TYPO3
Product	Extension "News system"
Versions	Default: unaffected affected from 14.0.0 to 14.0.3 (excl.) affected from 13.0.0 to 13.0.2 (excl.) affected from 12.0.0 to 12.3.2 (excl.) affected from 0 to 11.4.4 (excl.)

Credits

Christian Kuhn reporter
Georg Ringer remediation developer

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-010

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE