CVE-2026-8827: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in TYPO3 Extension "Address List"
CVE-2026-8827 is a high-severity SQL Injection vulnerability in the TYPO3 Extension "Address List". The vulnerability arises from the AddressRepository::getSqlQuery() method, which constructs SQL queries without properly sanitizing user input. However, this method is not called anywhere within the extension itself, so a default installation is not directly at risk. The vulnerability becomes exploitable only if custom extensions invoke this method with untrusted input. There is no known exploit in the wild and no official patch or remediation guidance has been provided yet.
AI Analysis
Technical Summary
The TYPO3 Extension "Address List" contains a SQL Injection vulnerability (CWE-89) in the AddressRepository::getSqlQuery() method due to improper neutralization of special elements in SQL commands. This method builds database queries without adequate input sanitization. Since the method is not used internally by the extension, the vulnerability does not pose a direct risk in default setups. However, if custom extensions call this method with untrusted input, it could lead to SQL Injection attacks. The vulnerability affects versions 9.0.0, 10.0.0, and 0 of the extension. The CVSS 4.0 base score is 8.2, indicating high severity. No patch or official remediation level is currently documented.
Potential Impact
Successful exploitation could allow an attacker to perform SQL Injection via custom extensions that invoke the vulnerable method with untrusted input. This could lead to unauthorized database queries, potentially exposing or manipulating sensitive data. Default installations of the extension are not directly vulnerable since the method is not invoked internally. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerable method is not used by default, sites without custom extensions calling this method are not directly at risk. Developers should avoid calling AddressRepository::getSqlQuery() with untrusted input or implement proper input sanitization if they do. Monitor TYPO3 vendor advisories for any forthcoming official fixes or updates.
CVE-2026-8827: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in TYPO3 Extension "Address List"
Description
CVE-2026-8827 is a high-severity SQL Injection vulnerability in the TYPO3 Extension "Address List". The vulnerability arises from the AddressRepository::getSqlQuery() method, which constructs SQL queries without properly sanitizing user input. However, this method is not called anywhere within the extension itself, so a default installation is not directly at risk. The vulnerability becomes exploitable only if custom extensions invoke this method with untrusted input. There is no known exploit in the wild and no official patch or remediation guidance has been provided yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The TYPO3 Extension "Address List" contains a SQL Injection vulnerability (CWE-89) in the AddressRepository::getSqlQuery() method due to improper neutralization of special elements in SQL commands. This method builds database queries without adequate input sanitization. Since the method is not used internally by the extension, the vulnerability does not pose a direct risk in default setups. However, if custom extensions call this method with untrusted input, it could lead to SQL Injection attacks. The vulnerability affects versions 9.0.0, 10.0.0, and 0 of the extension. The CVSS 4.0 base score is 8.2, indicating high severity. No patch or official remediation level is currently documented.
Potential Impact
Successful exploitation could allow an attacker to perform SQL Injection via custom extensions that invoke the vulnerable method with untrusted input. This could lead to unauthorized database queries, potentially exposing or manipulating sensitive data. Default installations of the extension are not directly vulnerable since the method is not invoked internally. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerable method is not used by default, sites without custom extensions calling this method are not directly at risk. Developers should avoid calling AddressRepository::getSqlQuery() with untrusted input or implement proper input sanitization if they do. Monitor TYPO3 vendor advisories for any forthcoming official fixes or updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TYPO3
- Date Reserved
- 2026-05-18T11:19:55.225Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0c3637ec166c07b08eb1c3
Added to database: 5/19/2026, 10:06:47 AM
Last enriched: 5/19/2026, 10:21:39 AM
Last updated: 5/19/2026, 11:09:30 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.