VYPR
High severityNVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-8726

CVE-2026-8726

Description

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
georgringer/newsPackagist
>= 12.0.0, < 12.3.212.3.2
georgringer/newsPackagist
>= 13.0.0, < 13.0.213.0.2
georgringer/newsPackagist
>= 14.0.0, < 14.0.314.0.3
georgringer/newsPackagist
< 10.0.410.0.4
georgringer/newsPackagist
>= 11.0.0, < 11.4.411.4.4

Affected products

1

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.