CVE-2025-10316: 
PHP vulnerability analysis and mitigation

The TYPO3 extension 'Form to Database' (formtodatabase) has been identified with a Cross-Site Scripting vulnerability (CVE-2025-10316). The vulnerability was disclosed on September 16, 2025, affecting multiple versions of the extension: versions before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, and from 5.0.0 before 5.0.2. This third-party extension is not part of the TYPO3 default installation (TYPO3 Advisory).

The vulnerability stems from the extension's failure to properly encode user input for output in HTML context within the TYPO3 backend user interface. The vulnerability has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 base score indicates a low severity with a vector string of AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (TYPO3 Advisory).

The Cross-Site Scripting vulnerability could potentially allow attackers to execute malicious scripts in the context of the TYPO3 backend user interface, potentially compromising the security of the administrative interface (TYPO3 Advisory).

Updated versions have been released to address this vulnerability: version 2.2.5, 3.2.2, 4.2.3, and 5.0.2. Users are advised to update the extension as soon as possible through the TYPO3 extension manager, packagist, or by downloading directly from the TYPO3 extension repository. Users should also follow the recommendations provided in the TYPO3 Security Guide and subscribe to the typo3-announce mailing list (TYPO3 Advisory).

Credit for discovering and reporting the vulnerability has been given to Sascha Egerer, while Liquid Light provided the updated versions of the extension (TYPO3 Advisory).