Which versions of TYPO3 CMS are affected by CVE-2026-11607?

TYPO3 CMS versions 10.4 through 14.3 contain a privilege escalation vulnerability in the Form Framework that allows authenticated backend users to create unauthorized administrator accounts.. A patch is available.

Is there a public PoC exploit available for CVE-2026-11607?

Yes, a public proof-of-concept exploit is available for CVE-2026-11607. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-11607?

Within 24 hours: Audit administrative accounts for unauthorized additions and review Form Framework access logs for suspicious form activities. Within 7 days: Check TYPO3 vendor advisory for patched version timelines; implement monitoring for suspicious form uploads with non-standard file extensions. Within 30 days: Apply vendor-released patch when available, or implement permanent compensating controls if no patch is released; restrict Form Framework access to minimal trusted user set.

TYPO3 CMS CVE-2026-11607

Q: What is the CVSS score of CVE-2026-11607?

CVE-2026-11607 has a CVSS 4.0 base score of 7.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-35391 HIGH

Missing Authorization (CWE-862)

2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a

GHSA-pjpj-v387-x4vq

Authentication Bypass

7.6

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 09, 2026 - 13:01 EUVD

Source Code Evidence Fetched

Jun 09, 2026 - 11:32 vuln.today

Analysis Generated

Jun 09, 2026 - 11:32 vuln.today

DescriptionCVE.org

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

AnalysisAI

Privilege escalation in TYPO3 CMS allows authenticated backend users with Form Framework access to execute arbitrary SQL by uploading malicious form definitions with non-standard file extensions, enabling creation of administrative backend accounts. The flaw stems from incomplete file-extension validation in FormPersistenceManager and affects every supported branch (10.4, 11.5, 12.4, 13.4, 14.3) below the fixed releases. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate as low-privileged backend editor

Delivery

Upload crafted YAML with non-.form.yaml extension

Exploit

Trigger form load via Form Framework

Install

Bypass file-extension validation

Inject SQL via processed form definition

Execute

Insert admin row in be_users

Impact