CVE-2026-49741
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition record
CVSS
—
Sin CVSS
EPSS
0.2%
p16
KEV
—
Exploit Today
5
0-100
Publicado: 9 jun 2026 · Última mod.: 15 jul 2026 · CWE-89 · CWE-862
0.2%EPSS · 30 días0.2%
2026-06-302026-07-18
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.2.
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-422089.8 CRÍ99.7%
KEV—80BerriAI LiteLLM SQL Injection Vulnerability5dCVE-2026-277718.2 ALT98.5%
——30Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.12dCVE-2020-249139.8 CRÍ98.5%
——30A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.11dCVE-2023-361447.5 ALT98.3%
——30An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.11dCVE-2021-445958.8 ALT97.3%
——29Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.11dCVE-2026-479927.2 ALT97.1%
——29Adobe Commerce is affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to execute malicious SQL commands, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction.4d