SQL Injection in Typo3 Extension "News System"

CVE-2026-8726

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Expl…

Vulnerability class: SQL Injection

EPSS: 0.001 (35.1th percentile) — read the EPSS interpretation.

Affected products

Typo3 Extension "News System" — versions 14.0.0, 12.0.0, 11.0.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

f4fb688c-4412-4426-b4b8-421ecf27b14a (vendor-advisory)