CVE-2026-6553 (GCVE-0-2026-6553)

Vulnerability from cvelistv5 – Published: 2026-04-21 10:04 – Updated: 2026-04-21 13:20
VLAI?
Title
TYPO3 CMS Stores Cleartext Password in User Settings Module
Summary
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
Severity ?
7.3 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-312 - Cleartext storage of sensitive information
Assigner
References
Impacted products
Vendor Product Version
TYPO3 TYPO3 CMS Affected: 14.2.0 , < 14.3.0 (semver)
Create a notification for this product.
Credits
Martin Clewing Garvin Hicking Stefan Bürk Oliver Hader
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-21T13:20:11.733627Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-21T13:20:23.515Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "packageName": "typo3/cms-backend",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "14.3.0",
              "status": "affected",
              "version": "14.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "14.3.0",
                  "versionStartIncluding": "14.2.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Martin Clewing"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Garvin Hicking"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Stefan B\u00fcrk"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Oliver Hader"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Changing backend users\u0027 passwords via the user settings module results in storing the cleartext password in the \u003ccode\u003euc\u003c/code\u003e and \u003ccode\u003euser_settings\u003c/code\u003e fields of the \u003ccode\u003ebe_users\u003c/code\u003e database table. This issue affects TYPO3 CMS version 14.2.0."
            }
          ],
          "value": "Changing backend users\u0027 passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext storage of sensitive information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T10:08:27.342Z",
        "orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "shortName": "TYPO3"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-005"
        },
        {
          "name": "Git commit of main branch",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "TYPO3 CMS Stores Cleartext Password in User Settings Module",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
    "assignerShortName": "TYPO3",
    "cveId": "CVE-2026-6553",
    "datePublished": "2026-04-21T10:04:02.525Z",
    "dateReserved": "2026-04-17T21:40:53.165Z",
    "dateUpdated": "2026-04-21T13:20:23.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-6553",
      "date": "2026-04-21",
      "epss": "0.00029",
      "percentile": "0.08361"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-6553\",\"sourceIdentifier\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"published\":\"2026-04-21T10:16:31.220\",\"lastModified\":\"2026-04-21T16:20:24.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Changing backend users\u0027 passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-312\"}]}],\"references\":[{\"url\":\"https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\"},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2026-005\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"f4fb688c-4412-4426-b4b8-421ecf27b14a\", \"shortName\": \"TYPO3\", \"dateUpdated\": \"2026-04-21T10:08:27.342Z\"}, \"title\": \"TYPO3 CMS Stores Cleartext Password in User Settings Module\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-312\", \"description\": \"CWE-312 Cleartext storage of sensitive information\", \"type\": \"CWE\"}]}], \"affected\": [{\"vendor\": \"TYPO3\", \"product\": \"TYPO3 CMS\", \"collectionURL\": \"https://packagist.org\", \"packageName\": \"typo3/cms-backend\", \"repo\": \"https://github.com/TYPO3/typo3\", \"versions\": [{\"status\": \"affected\", \"version\": \"14.2.0\", \"lessThan\": \"14.3.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"cpeApplicability\": [{\"operator\": \"OR\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"14.2.0\", \"versionEndExcluding\": \"14.3.0\"}]}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Changing backend users\u0027 passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"Changing backend users\u0027 passwords via the user settings module results in storing the cleartext password in the \u003ccode\u003euc\u003c/code\u003e and \u003ccode\u003euser_settings\u003c/code\u003e fields of the \u003ccode\u003ebe_users\u003c/code\u003e database table. This issue affects TYPO3 CMS version 14.2.0.\"}]}], \"references\": [{\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2026-005\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291\", \"name\": \"Git commit of main branch\", \"tags\": [\"patch\"]}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"PASSIVE\", \"vulnConfidentialityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"exploitMaturity\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"version\": \"4.0\", \"baseSeverity\": \"HIGH\", \"baseScore\": 7.3, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H\"}}], \"credits\": [{\"lang\": \"en\", \"value\": \"Martin Clewing\", \"type\": \"reporter\"}, {\"lang\": \"en\", \"value\": \"Garvin Hicking\", \"type\": \"remediation developer\"}, {\"lang\": \"en\", \"value\": \"Stefan B\\u00fcrk\", \"type\": \"remediation developer\"}, {\"lang\": \"en\", \"value\": \"Oliver Hader\", \"type\": \"remediation developer\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6553\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-21T13:20:11.733627Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-21T13:20:18.344Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-6553\", \"assignerOrgId\": \"f4fb688c-4412-4426-b4b8-421ecf27b14a\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"TYPO3\", \"dateReserved\": \"2026-04-17T21:40:53.165Z\", \"datePublished\": \"2026-04-21T10:04:02.525Z\", \"dateUpdated\": \"2026-04-21T13:20:23.515Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.