CVE-2026-11607: CVE-2026-11607: Broken Access Control in TYPO3 CMS Form Framework

CVE-2026-11607: Broken Access Control in TYPO3 CMS Form Framework

Vulnerability ID: CVE-2026-11607
CVSS Score: 7.6
Published: 2026-06-12

CVE-2026-11607 is a critical broken access control vulnerability in TYPO3 CMS's Form Framework (ext:form). Authenticated backend users with access to the Form Framework can load unauthorized YAML configurations, bypassing file extension restrictions. This allows the execution of arbitrary SQL commands via the SaveToDatabase finisher, leading to privilege escalation to administrator level.

TL;DR

Authenticated backend users can bypass file extension restrictions to load malicious YAML configurations, executing arbitrary database commands and gaining full administrator privileges.

---

Technical Details

• CWE ID: CWE-862
• Attack Vector: Network
• CVSS v4.0: 7.6
• EPSS Score: 0.00414 (0.41%)
• Impact: Privilege Escalation / Database Compromise
• Exploit Status: None
• KEV Status: Not Listed

Affected Systems

• TYPO3 CMS

Mitigation Strategies

• Restrict access to the Form Framework backend module
• Audit the fileadmin storage for unauthorized YAML files containing database finishers
• Upgrade TYPO3 CMS to patched versions

Remediation Steps:

1. Verify existing user privileges and restrict form creation rights
2. Scan files for 'SaveToDatabase' or 'DatabaseWriteFinisher' elements in unexpected file paths
3. Apply TYPO3 core updates immediately according to the advisory release guidelines

References

• TYPO3 Security Advisory TYPO3-CORE-SA-2026-019
• TYPO3 Git Commit 040d50
• TYPO3 Git Commit 50974c
• CVE Record CVE-2026-11607

---

Read the full report for CVE-2026-11607 on our website for more details including interactive diagrams and full exploit analysis.