CVE-2026-4208

EUVD-2026-12554
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Affected Products (NVD)
VendorProductVersion
mrsilazmfa_mail
𝑥
< 1.0.7
mrsilazmfa_mail
2.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://typo3.org/security/advisory/typo3-ext-sa-2026-007