CVE-2026-8726 – SQL Injection in extension “News system” (news)

CVE ID :CVE-2026-8726

Published : May 19, 2026, 10:16 a.m. | 44 minutes ago

Description :The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the “Date Menu of news articles” plugin. Exploitation requires the “Date Menu of news articles” plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8727 – Remote Code Execution in extension “Site Crawler” (crawler)

CVE-2026-46725 – Remote Code Execution in extension “Content Element Selector” (ceselector)

CVE-2026-46724 – Path Traversal in extension “Faceted Search” (ke_search)

CVE-2026-8827 – SQL Injection in extension “Address List” (tt_address)