{"id":"CVE-2026-8726","summary":"SQL Injection in extension \"News system\" (news)","details":"The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the \"Date Menu of news articles\" plugin. Exploitation requires the \"Date Menu of news articles\" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.","aliases":["GHSA-g868-j3qm-4j28"],"modified":"2026-07-08T08:13:52.406402861Z","published":"2026-05-19T09:22:09.037Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8726.json","cwe_ids":["CWE-89"],"cna_assigner":"TYPO3"},"references":[{"type":"WEB","url":"https://packagist.org/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8726.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8726"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-ext-sa-2026-010"},{"type":"PACKAGE","url":"https://github.com/georgringer/news"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/georgringer/news","events":[{"introduced":"a688e3f32db19dae62982bc6aecdd0071ea4a08e"},{"fixed":"cec1cd776a32e5cec527575b97ca7b044ceac19c"},{"introduced":"0db70e125bb0b97c1da3a3d9f8582ce24ccce49c"},{"fixed":"afa3f4d90f8e385ae1dcf07908d1b8d71727dceb"},{"introduced":"f5e5d78bc78b14363d15cfe739ef90b53a6d9812"},{"fixed":"d43ae0cd0d698709c87b0a8703c68739f305625f"},{"introduced":"a08c0e5355b8cc6801cc2916f71745f2ace9ae1d"},{"fixed":"eb7649994a5f3c54f8ea40c5e87c6c7764317076"},{"introduced":"0"},{"fixed":"3a5ef67f2555c30b7471e1bb93958e4602c63940"}],"database_specific":{"extracted_events":[{"introduced":"14.0.0"},{"fixed":"14.0.3"},{"introduced":"13.0.0"},{"fixed":"13.0.2"},{"introduced":"12.0.0"},{"fixed":"12.3.2"},{"introduced":"11.0.0"},{"fixed":"11.4.4"},{"introduced":"0"},{"fixed":"10.0.4"}],"source":"AFFECTED_FIELD"}}],"versions":["10.0.3","9.4.0","11.4.3","13.0.1","12.3.1","14.0.2","14.0.1","14.0.0","13.0.0","12.3.0","12.2.0","12.1.0","11.4.2","12.0.0","11.4.1","11.4.0","11.3.0","11.2.0","11.1.2","11.1.1","11.1.0","11.0.0","10.0.2","10.0.1","10.0.0","9.3.1","9.3.0","9.2.0","9.1.1","9.1.0","9.0.0","8.6.0","8.5.2","8.5.1","8.5.0","8.4.1","8.4.0","8.3.0","8.2.0","8.1.1","8.1.0","8.0.0","7.3.1","7.3.0","7.2.3","7.2.2","7.2.0","7.1.0","7.2.1","7.0.8","7.0.7","7.0.6","7.0.5","7.0.4","7.0.3","7.0.2","7.0.1","7.0.0","6.3.0","6.2.1","6.2.0","6.1.1","6.1.0","6.0.0","4.3.0","5.3.1","5.3.0","5.2.0","5.1.0","5.0.0","4.2.1","4.2.0","4.1.0","4.0.0","3.2.2","3.2.1","3.2.0","3.1.0","2.3.0","3.0.0","2.2.1","2.2.0","2.1.0","2.0.0","v3.0alpha"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8726.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}