CVE-2026-8827

Summary

The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.

Affected Software

VendorProductVersion RangeStatus
TYPO3Extension “Address List”10.0.0 < 10.0.1affected
TYPO3Extension “Address List”9.0.0 < 9.1.1affected
TYPO3Extension “Address List”0 < 8.1.2affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References