TYPO3 Ext: Potential SQLi via AddressRepository::getSqlQuery()
CVE-2026-8827 Published on May 19, 2026

SQL Injection in extension "Address List" (tt_address)
The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.

Vendor Advisory NVD

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-8827 has been classified to as a SQL Injection vulnerability or weakness.

Affected Versions

TYPO3 Extension "Address List":

Version 10.0.0 and below 10.0.1 is affected.
Version 9.0.0 and below 9.1.1 is affected.
Before 8.1.2 is affected.

TYPO3 Ext: Potential SQLi via AddressRepository::getSqlQuery()CVE-2026-8827 Published on May 19, 2026

Weakness Type

What is a SQL Injection Vulnerability?

Affected Versions

TYPO3 Ext: Potential SQLi via AddressRepository::getSqlQuery()
CVE-2026-8827 Published on May 19, 2026