TYPO3-EXT-SA-2026-012: SQL Injection in extension "Address List" (tt_address)
It has been discovered that the extension "Address List" (tt_address) is vulnerable to SQL Injection.
- Release Date: May 19, 2026
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "Address List" (tt_address)
- Composer Package Name: friendsoftypo3/tt-address
- Vulnerability Type: SQL Injection
- Affected Versions: 10.0.0, 9.0.0 - 9.1.0, 8.1.1 and below
- Severity: Medium (rated lower than the CVSS score, as the vulnerable method is not invoked by the extension itself)
- Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- References: CVE-2026-8827, CWE-89
Problem Description
The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input leading to SQL Injection.
The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection
Solution
Updated versions 10.0.1, 9.1.1 and 8.1.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/tt_address/10.0.1/zip
https://extensions.typo3.org/extension/download/tt_address/9.1.1/zip
https://extensions.typo3.org/extension/download/tt_address/8.1.2/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to TYPO3 Core and Security Team member Georg Ringer for reporting the vulnerability and for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.