typo3/cms-core is vulnerable to SQL injection. The vulnerability is due to improper dissociation of system-related configuration from user-generated configuration, allowing instructions to be persisted to a form definition file that were not configured to be modified. This allows attackers to exploit the system by manipulating form definitions through the form editor module or direct file upload using the regular file list module.