CVE-2026-47346

Description

### Problem Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., `.FORM.YAML`) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. ### Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. ### Credits TYPO3 CMS thanks Alexander Künzl for reporting this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke for fixing it. ### Resources * [TYPO3-CORE-SA-2026-008](https://typo3.org/security/advisory/typo3-core-sa-2026-008)

How to fix CVE-2026-47346

To remediate CVE-2026-47346, upgrade the affected package to a fixed version below.

• —upgrade to 10.4.57 or later
• —upgrade to 10.4.57 or later

Is CVE-2026-47346 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47346.

Affected packages (2)

• from 0, < 10.4.57
• from 0, < 10.4.57

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47346
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47346.yaml
• WEBgithub.com/TYPO3/typo3/commit/2030617e6f273cee7b756c695f0a48a45a31eb47