TYPO3 CMS MixedCase File Upload SQLi ( 10.4.57/11.5.50/12.4.45/13.4.30/14.3.2)
CVE-2026-47346 Published on June 9, 2026
TYPO3 CMS - Broken Access Control in Form Framework
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Weakness Types
Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-47346 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-47346
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
TYPO3 CMS:- Before 10.4.57 is affected.
- Version 11.0.0 and below 11.5.51 is affected.
- Version 12.0.0 and below 12.4.46 is affected.
- Version 13.0.0 and below 13.4.31 is affected.
- Version 14.0.0 and below 14.3.3 is affected.