CVE-2026-49741EPSS p28.7%

CVE-2026-49741CVE-2026-49741

Description

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

Scoring

EPSS0.37% probability of exploitation · percentile 28.7% · 2026-06-19T12:03:05Z
Last modified2026-06-09

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-47346
CVE
CVE-2026-11607
CVE
CVE-2026-49740
CVE
CVE-2026-47351
CVE
CVE-2026-47349
CVE
CVE-2026-47343
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.