TYPO3 CMS 14.014.3.3 FormFramework DataHandler Bypass
CVE-2026-49741 Published on June 9, 2026
TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.
Weakness Types
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-49741 has been classified to as an AuthZ vulnerability or weakness.
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2026-49741 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2026-49741
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
TYPO3 CMS:- Version 14.0.0 and below 14.3.3 is affected.