TYPO3 CMS version 14.2.0 contains a vulnerability identified as CVE-2026-6553 (CWE-312) where backend user password changes through the user settings module result in storing the password in cleartext within the uc and user_settings fields of the be_users database table. This improper storage of sensitive credentials increases the risk of password disclosure if the database is compromised. The CVSS 4.0 base score is 7.3, reflecting high severity with network attack vector, low attack complexity, and partial user interaction required. No official patch or remediation level has been published by the vendor as of the data provided.

The vulnerability allows cleartext passwords to be stored in the TYPO3 CMS database, which could lead to credential exposure if an attacker gains access to the database. This undermines password confidentiality and could facilitate unauthorized access to backend user accounts. There are no known exploits in the wild reported. The impact is significant due to the sensitive nature of password data, but exploitation requires access to the database or a vector to retrieve these fields.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should limit database access strictly and monitor for unauthorized access. Avoid using the affected TYPO3 CMS version 14.2.0 for sensitive environments or consider mitigating by not changing passwords via the user settings module if possible. Follow vendor updates closely for an official fix.