Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
AnalysisAI
Privilege escalation in TYPO3 CMS Form Framework allows authenticated backend users with file write permissions to bypass upload restrictions using mixed-case file extensions (e.g., .FORM.YAML), then execute arbitrary SQL via crafted form definition files to create administrative backend accounts. The flaw affects TYPO3 versions before 10.4.57, 11.5.50, 12.4.45, 13.4.30, and 14.3.2 across all supported branches. No public exploit identified at time of analysis, but the upstream fix is published with detailed commit-level test cases that effectively serve as a roadmap for exploit development.
Technical ContextAI
TYPO3 CMS is a widely deployed PHP-based enterprise content management system. The vulnerability is rooted in CWE-178 (Improper Handling of Case Sensitivity), specifically in the Form Framework's FilePersistenceSlot.php, which used a case-sensitive str_ends_with() check against the lowercase '.form.yaml' extension to gate dangerous form-definition uploads. On case-insensitive filesystems, an attacker could upload a file named with mixed-case (e.g., '.FORM.YAML') that bypassed the protection check but was still parsed as a YAML form definition by downstream handlers. Because TYPO3's Form Framework allows form definitions to declare database finishers and finisher options, attacker-controlled YAML translates into arbitrary SQL execution against the TYPO3 database. The upstream patch normalizes the identifier with mb_strtolower() before the suffix check in FilePersistenceSlot.php, and also lowercases filenames in LocalDriver.php sanitizeFileName() when the underlying filesystem is case-insensitive.
RemediationAI
Vendor-released patches: upgrade to TYPO3 10.4.57, 11.5.50, 12.4.45, 13.4.30, or 14.3.2 (or later) depending on your supported branch, as documented in advisory https://typo3.org/security/advisory/typo3-core-sa-2026-008 with the upstream fixes at GitHub commits 2030617e6f273cee7b756c695f0a48a45a31eb47 and eb2b2251d90339d3ab55df3d4c0378ae0c780b45. As an interim compensating control, audit backend user groups and revoke the 'file write' permission from any non-administrative editor accounts that do not strictly need it - this directly removes the prerequisite (PR:L plus file upload right) for exploitation but will block legitimate content editors from uploading assets until restored. Additionally, hosts running TYPO3 on case-insensitive filesystems (Windows, default macOS) are the realistic attack surface; where feasible, migrate the fileadmin storage to a case-sensitive Linux filesystem to neutralize the bypass, accepting that this is a non-trivial infrastructure change. At the web layer, configure the reverse proxy or WAF to reject backend upload requests whose filename matches case-insensitive '.form.yaml' patterns ('\.form\.ya?ml$' with the 'i' flag), recognizing this is a brittle stopgap that may block legitimate form-editor uploads.
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35393
GHSA-hwvq-2w67-rvxp