{"id":"CVE-2026-8827","summary":"SQL Injection in extension \"Address List\" (tt_address)","details":"The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.","aliases":["GHSA-3h52-6v6j-6wwv"],"modified":"2026-07-08T08:11:44.660945528Z","published":"2026-05-19T09:24:50.564Z","database_specific":{"cna_assigner":"TYPO3","cwe_ids":["CWE-89"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8827.json"},"references":[{"type":"WEB","url":"https://packagist.org/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8827.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8827"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-ext-sa-2026-012"},{"type":"PACKAGE","url":"https://github.com/FriendsOfTYPO3/tt_address"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/friendsoftypo3/tt_address","events":[{"introduced":"1070cc5d9485b0c02dfcfdb7245564c4ac37f299"},{"fixed":"f22107e67d51cd30cdca8c62f25235e977d916a2"},{"introduced":"a159f1d165f4e3014f6251504c27abecf27da96d"},{"fixed":"30d51bd1352e3c928ac088a4596183dda111cb7d"},{"introduced":"0"},{"fixed":"fece707962c23ca175ac57a4e60af0121ad9c398"}],"database_specific":{"extracted_events":[{"introduced":"10.0.0"},{"fixed":"10.0.1"},{"introduced":"9.0.0"},{"fixed":"9.1.1"},{"introduced":"0"},{"fixed":"8.1.2"}],"source":"AFFECTED_FIELD"}}],"versions":["9.1.0","8.1.1","10.0.0","9.0.1","9.0.0","8.1.0","8.0.3","8.0.2","8.0.1","8.0.0","7.1.0","7.0.0","6.1.0","6.0.1","6.0.0","5.3.0","5.2.1","5.2.0","5.1.2","5.1.1","5.1.0","5.0.0","4.3.0","4.2.0","4.1.0","4.0.1","4.0.0","v3.2.2","3.2.1","3.2.0","3.1.1","3.1.0","3.0.3","3.0.2","3.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8827.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}