GHSA-3h52-6v6j-6wwvHigh

TYPO3 SQL Injection in extension "Address List" (tt_address)

Published
May 19, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

In the TYPO3 extension tt_address, the AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection. This has been patched in version 8.1.2, 9.1.1, and 10.0.1.

🎯 Affected products3

  • composer/friendsoftypo3/tt-address:>= 10.0.0, < 10.0.1
  • composer/friendsoftypo3/tt-address:>= 9.0.0, < 9.1.1
  • composer/friendsoftypo3/tt-address:< 8.1.2

🔗 References (4)