CVEFinder.io

CVE-2026-46721

🔶 medium
🔍 Scan for this CVE
Summary

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

CVSS Score
-
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
🎯 CISA SSVC Assessment Updated: May 19, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Seungbin Yang (reporter) Sebastian Fischer (remediation developer)
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-639 CWE-915

📦 Affected Products 0

No affected products information available

🔗 References 1

https://typo3.org/security/advisory/typo3-ext-sa-202...