Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
AnalysisAI
TYPO3 CMS 14.2.0 stores backend user passwords in cleartext within database fields (uc, user_settings) when passwords are changed through the user settings module. Remote attackers with database read access or exploiting SQL injection vulnerabilities can retrieve plaintext credentials for backend administrator accounts. Vendor patch available via GitHub commit 9a6e913f. No active exploitation confirmed at time of analysis, though high CVSS subsequent system impact scores (SC:H/SI:H/SA:H) indicate potential for privilege escalation if database is compromised.
Technical ContextAI
TYPO3 CMS is an open-source PHP-based content management system. The vulnerability stems from improper password storage (CWE-312: Cleartext Storage of Sensitive Information) in the backend user management module. When administrators or backend users update their passwords through the user settings interface in version 14.2.0, the system writes the plaintext password value into the 'uc' (user configuration) and 'user_settings' serialized fields of the be_users table instead of storing only the hashed value in the password field. This violates fundamental security principles as database dumps, backup files, log entries, or any compromise of database read access exposes valid authentication credentials. The affected product is identified as cpe:2.3:a:typo3:typo3_cms:14.2.0 specifically. Modern CMS architectures should never persist cleartext credentials; passwords must be hashed using bcrypt, Argon2, or similar one-way functions before storage.
RemediationAI
Apply the vendor-released patch immediately by upgrading to TYPO3 CMS version 14.2.1 or later, or manually apply the fix from GitHub commit 9a6e913f70767f63b322ae3e2d2f4e302624c291 available at https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291. After patching, conduct forensic review of the be_users table to identify and purge cleartext passwords from uc and user_settings fields for all backend user records. Force password resets for all backend users to ensure only properly hashed credentials remain in the database. Review database backup retention policies and sanitize or rotate backups created while running vulnerable 14.2.0 to prevent credential exposure from archived data. If immediate patching is not feasible, implement compensating controls: restrict database access to localhost only via firewall rules (blocks remote database exploitation but impacts legitimate remote admin tools), enable database query logging to detect unauthorized access attempts (performance overhead 5-15%), require multi-factor authentication for all backend user accounts (does not prevent credential theft but limits their utility), and prohibit backend users from changing passwords through the user settings module by removing the permission (impacts usability, requires admin-initiated password resets). Full advisory details at https://typo3.org/security/advisory/typo3-core-sa-2026-005.
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24081
GHSA-xvv6-p4wf-mvx7