Cleartext Storage of Sensitive Information Affecting typo3/cms-core package, versions >14.2.0, <14.3.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cleartext Storage of Sensitive Information vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-TYPO3CMSCORE-16115547
- published21 Apr 2026
- disclosed21 Apr 2026
- creditMartin Clewing
Introduced: 21 Apr 2026
NewCVE-2026-6553 (opens in a new tab)How to fix?
Upgrade typo3/cms-core to version 14.3.0 or higher.
Overview
typo3/cms-core is a free open source enterprise content management system.
Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the SetupModuleController module merging entity data with user-interface settings before storing them in DB. An attacker can obtain sensitive user credentials by accessing the uc and user_settings fields in the be_users database table.
Note:
Manual actions required alongside with version upgrade:
Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the uc and user_settings fields of the be_users table. Additionally, affected backend user accounts should be assigned new passwords.
Admin Tools → Upgrade → Upgrade Wizard → User Settings Scrubbing