CVE-2026-49741 - TYPO3 form framework privilege escalation and SQL injection
CVE-2026-49741 / GHSA-jh32-v29g-68pq covers a TYPO3 Form Framework flaw in
which backend users with write access to the form_definition table could
create, update, or delete form definitions through DataHandler, bypassing the
Form Framework’s persistence validation and permission checks. The bypass
re-opened attack paths previously addressed in TYPO3-CORE-SA-2018-003,
including privilege escalation and SQL injection through crafted form
configuration.
This is not a generic “someone can edit a table” issue. The risky shape is that direct table writes bypass the framework layer that was supposed to normalize and validate form definitions. Fixing it means both upgrading TYPO3 and confirming the repository does not keep custom admin tooling, migrations, or extensions that still write directly to the vulnerable table path.
When to use it
- A TYPO3 backend resolves affected
typo3/cms-coreortypo3/cms-formversions. - Custom extensions, migrations, importers, scripts, or admin tools touch
form_definitionorDataHandlerform persistence paths. - Delegated backend users can edit forms, table records, or framework-managed configuration.
- You need a bounded PR or triage note that upgrades TYPO3 and proves custom form persistence still goes through validation.
Inputs
- Composer manifests and locks, TYPO3 extension manifests, Dockerfiles, deployment manifests, SBOMs, and generated dependency reports.
- Owned extensions, scripts, migrations, importers, admin tools, backend role definitions, and form persistence code.
- Available Composer/TYPO3 tests, extension tests, config render, container build, dependency scan, and safe role-check commands.
Affected versions
- Vulnerable:
typo3/cms-core >= 14.0.0, < 14.3.3 - Also affected:
typo3/cms-form >= 14.0.0, < 14.3.3 - Fixed:
14.3.3+ - Affected surface: TYPO3 backends where non-admin or delegated backend
users can write form records, extensions that manipulate
form_definitiondirectly, and administrative tooling that bypasses framework validation
Indicator-of-exposure
- The repository resolves
typo3/cms-coreortypo3/cms-formin the affected range. - Extensions, scripts, migrations, importers, or admin tools directly write to
form_definition. - Backend roles grant write access broad enough to modify form records or
invoke
DataHandlerpaths touching form definitions. - The deployment exposes form-building capabilities to delegated backend users rather than only tightly controlled administrators.
Quick checks:
rg -n "typo3/cms-core|typo3/cms-form|form_definition|DataHandler|Form Framework|TYPO3-CORE-SA-2018-003" .
composer show typo3/cms-core typo3/cms-form
rg -n "form_definition|DataHandler|TYPO3\\\\CMS\\\\Core\\\\DataHandling|FormPersistenceManager|backend user|BE user" packages extensions config scripts
Windows:
rg -n "typo3/cms-core|typo3/cms-form|form_definition|DataHandler|Form Framework|TYPO3-CORE-SA-2018-003" .
composer show typo3/cms-core typo3/cms-form
rg -n "form_definition|DataHandler|TYPO3\\\\CMS\\\\Core\\\\DataHandling|FormPersistenceManager|backend user|BE user" packages extensions config scripts
Do not validate exposure by injecting malicious form payloads or SQL fragments into a live backend.
Remediation strategy
- Upgrade
typo3/cms-coreandtypo3/cms-formto14.3.3+everywhere the repository controls them. - Remove direct writes to
form_definitionfrom custom extensions, scripts, importers, or maintenance tooling. Route edits through the validated Form Framework APIs only. - Re-review backend role assignments for delegated form editors and remove unnecessary table-write privileges.
- Add tests or code review gates around extensions that touch form persistence so future changes do not bypass framework validation.
- Review whether any prior local mitigations for
TYPO3-CORE-SA-2018-003should remain even after the upgrade.
The prompt
You are remediating CVE-2026-49741 / GHSA-jh32-v29g-68pq, a high-severity TYPO3
Form Framework privilege-escalation and SQL-injection issue caused by direct
`DataHandler` access to `form_definition` records bypassing framework
validation. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades TYPO3, removes direct
`form_definition` write paths, tightens backend permissions, adds safe
verification, and documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected TYPO3 dependency,
extension, deployment, or mitigation path.
## Rules
- Scope only CVE-2026-49741 / GHSA-jh32-v29g-68pq and directly related TYPO3
form persistence, `DataHandler`, backend role, and extension code paths.
- Treat backend credentials, database content, form definitions, customer data,
and logs as sensitive.
- Do not inject malicious form definitions or SQL payloads into a live TYPO3
environment.
- Do not broaden backend permissions or keep direct table writes because they
are convenient for local tooling.
- Do not auto-merge.
## Steps
1. Inventory every controlled TYPO3 reference in `composer.json`,
`composer.lock`, extension manifests, Dockerfiles, deployment manifests, and
operator docs.
2. Resolve versions. Any `typo3/cms-core` or `typo3/cms-form` on `>= 14.0.0,
< 14.3.3` is affected.
3. Search owned extensions, scripts, migrations, and tooling for
`form_definition`, `DataHandler`, or direct database writes related to forms.
4. Identify backend role and permission assumptions around form editing, table
writes, and delegated content administration.
5. If the repository does not control an affected TYPO3 backend or only
contains unrelated client code, stop with `TRIAGE.md` naming the owner and
required version `14.3.3+`.
6. Upgrade all controlled TYPO3 dependencies to `14.3.3+` and regenerate the
lockfile, image metadata, dependency reports, and SBOMs.
7. Remove direct `form_definition` write paths from owned code. Replace them
with the framework-supported persistence and validation flow.
8. Tighten backend permissions so delegated users only have the minimum needed
form-management access and no unnecessary raw table-write capability.
9. Add safe tests or policy checks:
- resolved package versions are `14.3.3+`;
- owned extensions no longer write directly to `form_definition`;
- backend-role tests prove unauthorized users cannot bypass form-validation
paths;
- dependency and extension scans reflect the upgraded version.
10. Add a PR body section named `CVE-2026-49741 operator actions` that states:
- TYPO3 versions before and after;
- whether custom code touched `form_definition` directly;
- which backend roles were reviewed or changed;
- whether any historical mitigations from TYPO3-CORE-SA-2018-003 remain
relevant;
- which logs, admin actions, or database history operators should review.
11. Run relevant validation: Composer install, TYPO3 tests, extension tests,
config rendering, container build, dependency scans, and safe role or route
checks that do not inject exploit payloads.
12. Use PR title:
`fix(sec): remediate TYPO3 form persistence bypass`.
## Stop conditions
- No controlled TYPO3 backend or extension exists.
- The repository only documents a vendor-managed TYPO3 service and cannot
change dependencies or permissions.
- Safe verification would require exploit payloads or production-only database
access.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled dependency resolves
typo3/cms-coreortypo3/cms-formbelow14.3.3. - Owned code no longer writes directly to
form_definitionoutside the validated framework path. - Backend roles are reviewed and narrowed where needed.
- Tests and scans prove the upgrade and persistence-path cleanup landed together.
Output contract
- Reviewer-ready PR upgrading TYPO3 Form Framework dependencies to
14.3.3+and refreshing locks, images, SBOMs, and reports. - Evidence that owned extensions and tooling no longer write directly to
form_definitionoutside the validated framework path. - Operator notes for backend roles, historical mitigations, logs/admin actions, and database-history review.
TRIAGE.mdwhen the affected TYPO3 backend, extension, deployment, or mitigation path is not controlled by this repository.
Watch for
- Upgrading Composer packages while custom extensions keep the vulnerable persistence bypass behavior.
- Treating admin-only local tools as harmless if they bypass validation in production deployments too.
- Narrowing one backend role but leaving equivalent write capability elsewhere.
- Forgetting to review historical mitigations related to
TYPO3-CORE-SA-2018-003.
Related recipes
- CVE-2026-48507 Snipe-IT bulk user lockout
- Vulnerable dependency remediation
- CVE intelligence intake gate
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-jh32-v29g-68pq
- TYPO3 advisory: https://typo3.org/security/advisory/typo3-core-sa-2026-017
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49741