CVE-2026-8726

Published: Mag 19, 2026 Last Modified: Mag 19, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,2
Source: f4fb688c-4412-4426-b4b8-421ecf27b14a
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the 'Date Menu of news articles' plugin. Exploitation requires the 'Date Menu of news articles' plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0008
Percentile
0,2th
Updated

EPSS Score Trend (Last 2 Days)

89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Availability Authentication Access Control
Potential Impacts:
Execute Unauthorized Code Or Commands Read Application Data Gain Privileges Or Assume Identity Bypass Protection Mechanism Modify Application Data
Applicable Platforms
Languages: Not Language-Specific, SQL
Technologies: Database Server
Likelihood of Exploit: High
View CWE Details
https://typo3.org/security/advisory/typo3-ext-sa-2026-010
https://typo3.org/security/advisory/typo3-ext-sa-2026-010