Skip to main content

TYPO3 address_list EUVDEUVD-2026-30866

| CVE-2026-8827 HIGH
SQL Injection (CWE-89)
2026-05-19 TYPO3 GHSA-3h52-6v6j-6wwv
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Analysis Generated
May 19, 2026 - 10:46 vuln.today
CVSS changed
May 19, 2026 - 10:22 NVD
8.2 (HIGH)

DescriptionCVE.org

The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.

AnalysisAI

SQL injection in the TYPO3 'address_list' extension's AddressRepository::getSqlQuery() method allows remote attackers to manipulate database queries when the method is called with untrusted input. The flaw is latent - the vulnerable method is not invoked anywhere within the extension itself, so default installations are not exposed, but custom or third-party extensions that reuse this method become injection sinks. No public exploit identified at time of analysis, and no EPSS or KEV signal accompanies the advisory.

Technical ContextAI

TYPO3 is a PHP-based enterprise CMS, and the affected component is the third-party 'address_list' extension (CPE cpe:2.3:a:typo3:extension_"address_list"). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): AddressRepository::getSqlQuery() concatenates or interpolates externally controlled values into an SQL statement rather than using TYPO3's QueryBuilder parameter binding or prepared statements. Because the method is exposed as a public API surface of the repository class, any downstream extension importing the repository and passing request-derived data becomes a vector for tampering with the generated query.

RemediationAI

Patch available per vendor advisory TYPO3-EXT-SA-2026-012 (https://typo3.org/security/advisory/typo3-ext-sa-2026-012) - upgrade the address_list extension to the fixed release referenced in that advisory; an exact fix version was not provided in the input data, so confirm the version directly from the advisory before deployment. As a compensating control while patching, audit all in-house and third-party extensions for calls to AddressRepository::getSqlQuery() and replace them with parameterized TYPO3 QueryBuilder calls (createNamedParameter with explicit PDO types); the trade-off is engineering effort and possible behavioural differences if the original callers relied on string interpolation semantics. If immediate patching is not possible, temporarily restrict or remove any custom endpoints that funnel user input into the address repository, accepting the loss of those features until the upgrade lands.

Share

EUVD-2026-30866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy