CVE-2026-8726

Published: May 19, 2026

Modified: Jun 2, 2026

PUBLISHED

Description

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

Vendor	Product	Versions
TYPO3	Extension "News system"	affected `14.0.0 - < 14.0.3` affected `13.0.0 - < 13.0.2` affected `12.0.0 - < 12.3.2` affected `11.0.0 - < 11.4.4` affected `0 - < 10.0.4`

Weaknesses (CWE)

CWE-89

References

https://typo3.org/security/advisory/typo3-ext-sa-2026-010

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-8726

Description

Affected Products

Weaknesses (CWE)

References