Skip to main content

Extension News System

1 CVEs product

Monthly

CVE-2026-8726 PHP HIGH PATCH GHSA This Week

SQL injection in the TYPO3 'news' extension allows unauthenticated remote attackers to inject arbitrary SQL through a URL parameter on pages that render the 'Date Menu of news articles' plugin. The flaw stems from missing sanitization of user input before it reaches a database query, and exposure is limited to sites that both use the affected plugin and have not enabled the TypoScript/plugin setting disableOverrideDemand. No public exploit identified at time of analysis.

SQLi Extension News System
NVD
CVSS 4.0
8.2
EPSS
0.1%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

SQL injection in the TYPO3 'news' extension allows unauthenticated remote attackers to inject arbitrary SQL through a URL parameter on pages that render the 'Date Menu of news articles' plugin. The flaw stems from missing sanitization of user input before it reaches a database query, and exposure is limited to sites that both use the affected plugin and have not enabled the TypoScript/plugin setting disableOverrideDemand. No public exploit identified at time of analysis.

SQLi Extension News System
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy