Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
AnalysisAI
SQL injection in the TYPO3 'news' extension allows unauthenticated remote attackers to inject arbitrary SQL through a URL parameter on pages that render the 'Date Menu of news articles' plugin. The flaw stems from missing sanitization of user input before it reaches a database query, and exposure is limited to sites that both use the affected plugin and have not enabled the TypoScript/plugin setting disableOverrideDemand. No public exploit identified at time of analysis.
Technical ContextAI
TYPO3 is a PHP-based enterprise CMS, and the 'news' extension (per CPE cpe:2.3:a:typo3:extension_"news_system":*) is one of its most widely deployed third-party extensions for editorial content. The vulnerable code path is the 'Date Menu of news articles' plugin, which renders archive navigation by date and accepts filter values from URL parameters. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) applies: the extension concatenates or otherwise embeds attacker-controlled input into a query without parameterization or type-casting, allowing the input to break out of its intended SQL context. The disableOverrideDemand TypoScript setting normally restricts which Demand object properties (the news extension's query-shaping abstraction) can be overridden from request input - when not enabled, the vulnerable parameter remains reachable.
RemediationAI
Patch available per vendor advisory - consult https://typo3.org/security/advisory/typo3-ext-sa-2026-010 (TYPO3-EXT-SA-2026-010) for the fixed release of the news extension and upgrade via Composer or the Extension Manager to that version; the input data does not include a specific fix version, so cite the advisory's listed release rather than guessing. As an interim compensating control, set the TypoScript/plugin option disableOverrideDemand = 1 for the news plugin, which the advisory itself identifies as blocking the vulnerable code path (side effect: any legitimate use of request-driven Demand overrides on that site stops working, so editorial date filters driven by GET parameters may need to be reimplemented server-side). If the 'Date Menu of news articles' plugin is not actively used, remove its inclusion from page templates or unregister the plugin entirely. Web application firewall rules that reject SQL metacharacters on the relevant URL parameter can reduce drive-by exploitation but should be treated as a stopgap, not a substitute for upgrading.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30861
GHSA-g868-j3qm-4j28