CVE-2025-47939Insufficient Type Distinction in Typo3

CWE-351Insufficient Type DistinctionCWE-434Unrestricted File UploadCWE-416Use After Free5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 67.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3Typo3 Cms-core
Timeline
PublishedMay 20

Description

TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

NVDtypo3/typo39.0.09.5.51+4
Packagisttypo3/cms-core9.0.09.5.51+4
CVEListV5typo3/typo35 versions+4

🔴Vulnerability Details

3
OSV
TYPO3 Allows Unrestricted File Upload in File Abstraction Layer2025-05-20
CVEList
TYPO3 CMS Vulnerable to Unrestricted File Upload in File Abstraction Layer2025-05-20
GHSA
TYPO3 Allows Unrestricted File Upload in File Abstraction Layer2025-05-20

📋Vendor Advisories

1
Microsoft
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.2022-12-13
CVE-2025-47939 — Insufficient Type Distinction in Typo3 | cvebase