CVE-2026-8726

Summary

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

Affected Software

VendorProductVersion RangeStatus
TYPO3Extension “News system”14.0.0 < 14.0.3affected
TYPO3Extension “News system”13.0.0 < 13.0.2affected
TYPO3Extension “News system”12.0.0 < 12.3.2affected
TYPO3Extension “News system”11.0.0 < 11.4.4affected
TYPO3Extension “News system”0 < 10.0.4affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References