TYPO3 CMS 14.2.0: Backend password change stores cleartext in uc/user_settings
CVE-2026-6553 Published on April 21, 2026

TYPO3 CMS Stores Cleartext Password in User Settings Module
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.

Vendor Advisory NVD

Weakness Type

Cleartext Storage of Sensitive Information

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Products Associated with CVE-2026-6553

Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.

TYPO3

Affected Versions

TYPO3 CMS:

Version 14.2.0 and below 14.3.0 is affected.

TYPO3 CMS 14.2.0: Backend password change stores cleartext in uc/user_settingsCVE-2026-6553 Published on April 21, 2026

Weakness Type

Cleartext Storage of Sensitive Information

Products Associated with CVE-2026-6553

Affected Versions

TYPO3 CMS 14.2.0: Backend password change stores cleartext in uc/user_settings
CVE-2026-6553 Published on April 21, 2026