CVE-2026-11607

Name: CVE-2026-11607 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-11607

HIGH

CVSS v4.0: 7.6 · EPSS: 0.0004 (11.2 percentile)

NetworkNo user interactionMissing AuthorizationVendor advisory ref

Source data as of: 2026-06-10 05:05:15 UTC

At a glance

Severity: HIGH
CVSS: 7.6 v4.0 · NVD
EPSS: 0.0004 (11.2 percentile) · FIRST.org
CISA KEV: No
Type: Missing Authorization · NVD CWE
Attack conditions (CVSS vector): NetworkNo user interaction · Source: NVD Vector
Published: 2026-06-09 · Modified: 2026-06-09
References: Jump to references (3)

CVSS / EPSS / KEV

CVSS v4.0 7.6 / 10 HIGH Source: NVD

EPSS 0.0004 11.2 percentile Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Record details

CVE ID: CVE-2026-11607
CVSS (v4.0): 7.6 (HIGH)
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.0004 (11.2 percentile) — 2026-06-10
CISA KEV: No
Weakness (CWE): CWE-862
Affected configurations (CPE): 0
Published: 2026-06-09
Modified: 2026-06-09
Status: Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

← Back to all records

CVE-2026-11607

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same weakness type (CWE)

Published the same year