Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.
AnalysisAI
SQL injection in the TYPO3 'address_list' extension's AddressRepository::getSqlQuery() method allows remote attackers to manipulate database queries when the method is called with untrusted input. The flaw is latent - the vulnerable method is not invoked anywhere within the extension itself, so default installations are not exposed, but custom or third-party extensions that reuse this method become injection sinks. No public exploit identified at time of analysis, and no EPSS or KEV signal accompanies the advisory.
Technical ContextAI
TYPO3 is a PHP-based enterprise CMS, and the affected component is the third-party 'address_list' extension (CPE cpe:2.3:a:typo3:extension_"address_list"). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): AddressRepository::getSqlQuery() concatenates or interpolates externally controlled values into an SQL statement rather than using TYPO3's QueryBuilder parameter binding or prepared statements. Because the method is exposed as a public API surface of the repository class, any downstream extension importing the repository and passing request-derived data becomes a vector for tampering with the generated query.
RemediationAI
Patch available per vendor advisory TYPO3-EXT-SA-2026-012 (https://typo3.org/security/advisory/typo3-ext-sa-2026-012) - upgrade the address_list extension to the fixed release referenced in that advisory; an exact fix version was not provided in the input data, so confirm the version directly from the advisory before deployment. As a compensating control while patching, audit all in-house and third-party extensions for calls to AddressRepository::getSqlQuery() and replace them with parameterized TYPO3 QueryBuilder calls (createNamedParameter with explicit PDO types); the trade-off is engineering effort and possible behavioural differences if the original callers relied on string interpolation semantics. If immediate patching is not possible, temporarily restrict or remove any custom endpoints that funnel user input into the address repository, accepting the loss of those features until the upgrade lands.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30866
GHSA-3h52-6v6j-6wwv