Primary

Context

TYPO3 Address List Extension SQL Injection Vulnerability

Vulnerability

Patched

A SQL injection vulnerability has been identified in the 'Address List' (tt_address) extension for TYPO3. The issue arises in the AddressRepository::getSqlQuery() method, which constructs database queries without adequately sanitizing user input. While this vulnerability is not exploited in the default installation of the extension, it could be introduced by custom extensions that call this method with untrusted input.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Remediation

Users of the 'Address List' extension are advised to update to version 10.0.1, 9.1.1, or 8.1.2. These versions are available through the TYPO3 Extension Manager, Packagist, and the TYPO3 Extensions Repository.

Added: May 19, 2026, 10:18 AM

Updated: May 19, 2026, 10:18 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

6.8

remediation

3.1

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

6.8

remediation

3.1

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TYPO3 Address List Extension SQL Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

friendsoftypo3/tt-address

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating