CVE-2026-49741

Description

### Problem Backend users with write access to the `form_definition` database table were able to directly create, update, or delete form definition records via `DataHandler`, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in [TYPO3-CORE-SA-2018-003](https://typo3.org/security/advisory/typo3-core-sa-2018-003), including SQL injection and privilege escalation. ### Solution Update to TYPO3 version 14.3.3 LTS that fixes the problem described. ### Credits TYPO3 CMS thanks Selçuk Güney for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. ### Resources * [TYPO3-CORE-SA-2026-017](https://typo3.org/security/advisory/typo3-core-sa-2026-017)

How to fix CVE-2026-49741

To remediate CVE-2026-49741, upgrade the affected package to a fixed version below.

• —upgrade to 14.3.3 or later
• —upgrade to 14.3.3 or later

Is CVE-2026-49741 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49741.

Affected packages (2)

• >= 14.0.0, < 14.3.3
• >= 14.0.0, < 14.3.3

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-49741
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49741.yaml
• WEBgithub.com/TYPO3/typo3/commit/c90493c13b633f328cf2c066182c90a1655ff0fc