CVE-2026-8827

Vulnerability

Description

The AddressRepository::getSqlQuery() method in the TYPO3 extension "Address List" (tt_address) constructs a database query without properly sanitizing user input, leading to SQL Injection [1]. This flaw exists because the method directly incorporates untrusted data into the SQL statement, violating secure coding practices for database queries.

Attack

Vector

The vulnerable method is not invoked anywhere within the extension itself [1]. Therefore, the default installation is not directly exploitable. The risk arises only when a custom extension calls getSqlQuery() with user-controlled or untrusted input. An attacker would need to find or create such a calling context to leverage the injection point.

Impact

Exploitation could allow an attacker with network access to execute arbitrary SQL commands against the database, potentially reading sensitive data (confidentiality impact is rated high in the CVSS score) [1]. However, the CVSS report notes that integrity and availability are not affected, and the attack requires specific preconditions (accessibility of the method via custom code).

Mitigation

Patched versions (10.0.1, 9.1.1, and 8.1.2) are available from the TYPO3 extension manager and Packagist [1]. Users of the extension are advised to update as soon as possible to eliminate the risk for custom implementations that may call the method.