Packagist (Composer) package
typo3/cms-form
pkg:composer/typo3/cms-form
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-49741 | Hig | — | >= 14.0.0, < 14.3.3 | 14.3.3 | Jun 9, 2026 | Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form config | |
| CVE-2026-47346 | Hig | — | < 10.4.57 | 10.4.57 | Jun 9, 2026 | Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing | |
| CVE-2026-11607 | Hig | — | < 10.4.57 | 10.4.57 | Jun 9, 2026 | Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allow | |
| CVE-2024-55922 | — | >= 10.0.0, < 10.4.48 | 10.4.48 | Jan 14, 2025 | TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing a | ||
| CVE-2021-21355 | — | >= 8.0.0, < 8.7.40 | 8.7.40 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - how | ||
| CVE-2021-21357 | — | >= 8.0.0, < 8.7.40 | 8.7.40 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of th | ||
| CVE-2021-21358 | — | >= 10.2.0, < 10.4.14 | 10.4.14 | Mar 23, 2021 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form |
- affected >= 14.0.0, < 14.3.3fixed 14.3.3
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form config
- affected < 10.4.57fixed 10.4.57
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing
- affected < 10.4.57fixed 10.4.57
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allow
- CVE-2024-55922Jan 14, 2025affected >= 10.0.0, < 10.4.48fixed 10.4.48
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing a
- CVE-2021-21355Mar 23, 2021affected >= 8.0.0, < 8.7.40fixed 8.7.40
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - how
- CVE-2021-21357Mar 23, 2021affected >= 8.0.0, < 8.7.40fixed 8.7.40
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of th
- CVE-2021-21358Mar 23, 2021affected >= 10.2.0, < 10.4.14fixed 10.4.14
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form