A Form Framework That Creates Admin Accounts
TYPO3-CORE-SA-2026-019 discloses a broken access control vulnerability in the TYPO3 CMS Form Framework. An attacker who can upload or modify form definition files can craft malicious definitions that execute arbitrary SQL statements against the TYPO3 database. The SQL execution allows privilege escalation — specifically, creating new administrative backend user accounts.
TYPO3 is an enterprise-grade open-source CMS used primarily in Germany, Austria, and Switzerland, with deployments across government agencies, universities, and large corporations. It is the fourth-largest CMS by market share in the DACH region. A vulnerability that creates admin accounts from form definitions affects organizations that depend on TYPO3 for their public-facing and internal web infrastructure.
The Legacy CMS Pattern
TYPO3 joins WordPress, Drupal, and Joomla in the June 2026 legacy CMS vulnerability catalog. WordPress: UpdraftPlus RCE (3M sites), Ninja Forms file upload, Kirki account takeover, Avada SQL injection. Drupal: core SQL injection (CVE-2026-9082, CISA KEV). Now TYPO3: form framework SQL injection with admin creation.
The pattern is architectural, not vendor-specific. Legacy CMS frameworks share structural properties that produce these vulnerabilities: server-side PHP execution with database access, extensible form and plugin systems that accept structured input, admin interfaces that manage privileged operations, and complex permission models that can be bypassed when input validation fails.
The DACH Enterprise Angle
TYPO3's deployment profile is concentrated in German-speaking enterprise and government. WebPulse's regional scan data shows TYPO3 appearing in 8-12% of German government and enterprise sites — a significant share for a CMS that is barely visible globally. The TYPO3-CORE-SA-2026-019 vulnerability is particularly relevant for organizations subject to German and EU data protection requirements.
For DACH enterprises evaluating CMS modernization, the TYPO3 form framework vulnerability is another data point in the same calculation. The legacy CMS architecture — monolithic PHP with database access, extensible form systems, complex admin interfaces — produces the same vulnerability classes regardless of the specific CMS brand. The architecture is the risk. The vendor is the variable.
