Skip to main navigation Skip to main content Skip to page footer
Wolfgang Wagner - TYPO3 Seminare, Workshops, Tutorials, Support
Two TYPO3 extensions with security vulnerabilities: What you should do now

Two TYPO3 extensions with security vulnerabilities: What you should do now

Have the article read aloud.

Loading the Elevenlabs Text to Speech AudioNative Player...
| Estimated reading time : min.
This article was automatically translated using DeepL. Therefore, inaccuracies may occur.

Today the TYPO3 team has published two new security advisories. Both concern popular extensions that you may be using in your projects.

The more important news first: Base Excel with critical gap

The "Base Excel" extension has a serious problem. All versions up to 4.5.0 contain a security vulnerability that allows attackers to manipulate server-side requests. This sounds technical, but it means that someone could access internal systems via your website.

The reason is an outdated PHP package called "phpoffice/phpspreadsheet" that comes with the extension. Such bundled packages are practical, but can become a problem if they are not kept up to date.

What you need to do: Update to version 5.1.0 immediately. The TYPO3 team classifies this vulnerability as "High" - that doesn't happen often.

Details can be found in the official Security Advisory TYPO3-EXT-SA-2025-013.

Form to Database: XSS in the backend

The second affected extension is called "Form to Database". Here, malicious users can inject JavaScript code into the TYPO3 backend. This is less dramatic than the Excel vulnerability, but still not pretty.

The problem: The extension does not properly check what users enter before it is displayed in the backend.

Affected versions:

  • 2.2.4 and older
  • 3.0.0 to 3.2.1
  • 4.0.0 to 4.2.2
  • 5.0.0 to 5.0.1

The updates: Depending on your version, you need 2.2.5, 3.2.2, 4.2.3 or 5.0.2.

All information can be found in the Security Advisory TYPO3-EXT-SA-2025-012.

How to check if you are affected

Check your extension list for "form_to_database" and "base_excel". If you use one of the extensions, check the version number. For Composer setups, composer show will help you.

If you are unsure: Both extensions are not part of the standard TYPO3 installation. You must therefore have installed them deliberately.

My tip

Set up a notification for the typo3-announce mailing list. There you will be the first to know about such security updates. A few minutes of effort that will pay off.

Security is not a luxury, but a duty. Updating the extensions today is better than limiting the damage tomorrow.

Back

Comments under articles are disabled. If you have a question or addition, please send me an e-mail.

[Translate to English:] Wolfgang Wagner, TYPO3 Experte und Trainer
[Translate to English:] TYPO3 Certified Integrator

Who writes here?

Hi, I'm Wolfgang.

Since 2006, I've been diving deep into the fascinating world of TYPO3 - it's not only my profession, but also my passion. My path has taken me through countless projects, and I have created hundreds of professional video tutorials focusing on TYPO3 and its extensions. I love unraveling complex topics and turning them into easy-to-understand concepts, which is also reflected in my trainings and seminars.

As an active member of the TYPO3 Education Committee, I am committed to keeping the TYPO3 CMS Certified Integrator exam questions up to date and challenging.

But my passion doesn't end at the screen. When I'm not diving into the depths of TYPO3, you'll often find me on my bike, exploring the scenic trails around Lake Constance. These outdoor excursions are my perfect balance - they keep my mind fresh and always provide me with new ideas.