CVE-2026-8726

Vulnerability

Overview

The TYPO3 extension "News system" (news) is vulnerable to SQL injection in its "Date Menu of news articles" plugin. The extension fails to properly sanitize user input before using it in a database query, allowing an unauthenticated attacker to inject arbitrary SQL through a URL parameter [1].

Exploitation

Conditions

Exploitation requires the "Date Menu of news articles" plugin to be active on a page and the TypoScript/Plugin setting disableOverrideDemand not to be enabled. No authentication is needed, and the attack is performed over the network with low complexity, though the attacker must have knowledge of the specific plugin configuration [1].

Impact

A successful SQL injection can lead to unauthorized reading of database contents, including sensitive data such as user credentials or other confidential information. The CVSS v4.0 score of 7.3 (High) reflects the potential for high confidentiality impact, though integrity and availability are not directly affected [1].

Mitigation

The vulnerability affects versions 14.0.0–14.0.2, 13.0.0–13.0.1, 12.0.0–12.3.1, and 11.4.3 and below. Patched versions 14.0.3, 13.0.2, 12.3.2, and 11.4.4 are available from the TYPO3 extension manager, Packagist, or direct download. Users are advised to update immediately [1].