VYPR

Packagist (Composer) package

typo3/cms-form

pkg:composer/typo3/cms-form

Vulnerabilities (7)

  • CVE-2026-49741HigJun 9, 2026
    affected >= 14.0.0, < 14.3.3fixed 14.3.3

    Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form config

  • CVE-2026-47346HigJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing

  • CVE-2026-11607HigJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allow

  • CVE-2024-55922Jan 14, 2025
    affected >= 10.0.0, < 10.4.48fixed 10.4.48

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing a

  • CVE-2021-21355Mar 23, 2021
    affected >= 8.0.0, < 8.7.40fixed 8.7.40

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - how

  • CVE-2021-21357Mar 23, 2021
    affected >= 8.0.0, < 8.7.40fixed 8.7.40

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of th

  • CVE-2021-21358Mar 23, 2021
    affected >= 10.2.0, < 10.4.14fixed 10.4.14

    TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form