CVE-2025-59016
published 2025-09-09CVE-2025-59016: Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.21%
11.7th percentile
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 10.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-core | >= 11.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-core | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | cms-core | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | cms-core | >= 9.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3 | 10.0.0 – 10.4.54 | — |
| typo3 | typo3 | 11.0.0 – 11.5.48 | — |
| typo3 | typo3 | 12.0.0 – 12.4.37 | — |
| typo3 | typo3 | 13.0.0 – 13.4.18 | — |
| typo3 | typo3 | >= 9.0.0 < 9.5.55 | 9.5.55 |
| typo3 | typo3_cms | >= 10.0.0 < 10.4.54 | 10.4.54 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.48 | 11.5.48 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.37 | 12.4.37 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.18 | 13.4.18 |
| typo3 | typo3_cms | >= 9.0.0 < 9.5.55 | 9.5.55 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 CMS exposes sensitive information in an error message
ghsa·2025-09-09
CVE-2025-59016 [MEDIUM] CWE-209 TYPO3 CMS exposes sensitive information in an error message
TYPO3 CMS exposes sensitive information in an error message
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
OSV
TYPO3 CMS exposes sensitive information in an error message
osv·2025-09-09
CVE-2025-59016 [MEDIUM] TYPO3 CMS exposes sensitive information in an error message
TYPO3 CMS exposes sensitive information in an error message
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-09
Published