typo3/cms-form
Packagist7 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting typo3/cms-formpage 1 of 1
- CVE-2021-21355HIGHCVSS 8.6EG 8.6✓ Fixed in 11.1.12021-03-23
vulnerable: v11.0.0, v11.1.0
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary …
- CVE-2021-21357HIGHCVSS 8.3EG 8.3✓ Fixed in 11.1.12021-03-23
vulnerable: v11.0.0, v11.1.0
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data …
- CVE-2021-21358MEDIUMCVSS 5.4EG 5.4✓ Fixed in 11.1.12021-03-23
vulnerable: v11.0.0, v11.1.0
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid bac…
- CVE-2024-55922MEDIUMCVSS 5.4EG 5.4✓ Fixed in 13.4.32025-01-14
vulnerable: v13.0.0 ... v13.4.2 (10 versions)
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forge…
- CVE-2026-11607HIGHCVSS 7.6EG 7.6✓ Fixed in 14.3.32026-06-09
vulnerable: v14.0.0 ... v14.3.2 (9 versions)
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used t…
- CVE-2026-47346HIGHCVSS 7.6EG 7.6✓ Fixed in 14.3.32026-06-09
vulnerable: v14.0.0 ... v14.3.2 (9 versions)
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to e…
- CVE-2026-49741HIGHCVSS 8.7EG 8.7✓ Fixed in 14.3.32026-06-09
vulnerable: v14.0.0 ... v14.3.2 (9 versions)
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. Thi…
Check whether typo3/cms-form is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for typo3/cms-form CVEs against the assets you own.
Start Free Scan →