TYPO3-EXT-SA-2026-010: SQL Injection in extension "News system" (news)
It has been discovered that the extension "News system" (news) is vulnerable to SQL Injection.
- Release Date: May 19, 2026
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "News system" (news)
- Composer Package Name: georgringer/news
- Vulnerability Type: SQL Injection
- Affected Versions: 14.0.0 - 14.0.2, 13.0.0 - 13.0.1, 12.0.0 - 12.3.1, 11.4.3 and below
- Severity: High
- Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- References: CVE-2026-8726, CWE-89
Problem Description
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin.
Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
Solution
Updated versions 14.0.3, 13.0.2, 12.3.2 and 11.4.4 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/news/14.0.3/zip
https://extensions.typo3.org/extension/download/news/13.0.2/zip
https://extensions.typo3.org/extension/download/news/12.3.2/zip
https://extensions.typo3.org/extension/download/news/11.4.4/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to TYPO3 Core Team member Christian Kuhn for reporting the vulnerability and to TYPO3 Core and Security Team member Georg Ringer for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.