TYPO3 Date Menu Plugin SQLi via Unauth URL
CVE-2026-8726 Published on May 19, 2026

SQL Injection in extension "News system" (news)
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

Vendor Advisory NVD

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-8726 has been classified to as a SQL Injection vulnerability or weakness.

Affected Versions

TYPO3 Extension "News system":

Version 14.0.0 and below 14.0.3 is affected.
Version 13.0.0 and below 13.0.2 is affected.
Version 12.0.0 and below 12.3.2 is affected.
Before 11.4.4 is affected.

TYPO3 Date Menu Plugin SQLi via Unauth URLCVE-2026-8726 Published on May 19, 2026

Weakness Type

What is a SQL Injection Vulnerability?

Affected Versions

TYPO3 Date Menu Plugin SQLi via Unauth URL
CVE-2026-8726 Published on May 19, 2026