CVE-2025-10316: 
PHP vulnerability analysis and mitigation

The vulnerability CVE-2025-10316 affects the TYPO3 extension 'Form to Database' (formtodatabase) and was disclosed on September 16, 2025. This vulnerability is identified as a Cross-Site Scripting (XSS) issue affecting multiple versions of the extension: versions before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, and from 5.0.0 before 5.0.2 (TYPO3 Advisory).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue where the extension fails to properly encode user input for output in the TYPO3 backend user interface. The CVSS v4.0 base score assigned by TYPO3 is 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (NVD).

The vulnerability could allow attackers to execute cross-site scripting attacks through the TYPO3 backend interface, potentially compromising the security of the content management system. The impact is considered low severity based on the CVSS score (TYPO3 Advisory).

The vulnerability has been patched in versions 2.2.5, 3.2.2, 4.2.3, and 5.0.2. Users are advised to update to these patched versions as soon as possible. The updated versions are available through the TYPO3 extension manager, packagist, and the TYPO3 extension repository (TYPO3 Advisory).

The vulnerability was responsibly disclosed with credits given to Sascha Egerer for reporting the vulnerability and to Liquid Light for providing updated versions of the extension (TYPO3 Advisory).