php · typo3/cms-coreCritical

typo3/cms-core: Form Framework File Inclusion Vulnerability

Backend users with Form Framework access could use files not ending in .

13 Jun 2026Read 1 minSeverity: act now

What changed

Backend users with Form Framework access could use files not ending in .form.yaml as form definitions, enabling arbitrary SQL execution and privilege escalation.

Who it affects

TYPO3 CMS installations where backend users have access to the Form Framework.

What to do today

Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS immediately.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · typo3/cms-core

typo3/cms-core: Form Framework File Inclusion Vulnerability

What changed

Who it affects

What to do today

More on typo3/cms-core

Firefly III Stored XSS in Piggy Bank Names via Audit Logs

typo3/html-sanitizer: Whitespace-variant closing tags bypass sanitization when ALLOW_INSECURE_RAW_TEXT is enabled