High severityNVD Advisory· Published May 19, 2026· Updated May 19, 2026
CVE-2026-8726
CVE-2026-8726
Description
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
georgringer/newsPackagist | >= 12.0.0, < 12.3.2 | 12.3.2 |
georgringer/newsPackagist | >= 13.0.0, < 13.0.2 | 13.0.2 |
georgringer/newsPackagist | >= 14.0.0, < 14.0.3 | 14.0.3 |
georgringer/newsPackagist | < 10.0.4 | 10.0.4 |
georgringer/newsPackagist | >= 11.0.0, < 11.4.4 | 11.4.4 |
Affected products
1Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.