cbcvebase.
CVE-2025-47937
published 2025-05-20

CVE-2025-47937: TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.25%
16.6th percentile
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

Affected

15 ranges
VendorProductVersion rangeFixed in
typo3cms-core>= 10.0.0 < 10.4.5010.4.50
typo3cms-core>= 11.0.0 < 11.5.4411.5.44
typo3cms-core>= 12.0.0 < 12.4.3112.4.31
typo3cms-core>= 13.0.0 < 13.4.1213.4.12
typo3cms-core>= 9.0.0 < 9.5.519.5.51
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3>= 10.0.0 < 10.4.5010.4.50
typo3typo3>= 11.0.0 < 11.5.4411.5.44
typo3typo3>= 12.0.0 < 12.4.3112.4.31
typo3typo3>= 13.0.0 < 13.4.1213.4.12
typo3typo3>= 9.0.0 < 9.5.519.5.51
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.