CVE-2025-59021 — Missing Authorization in CMS

CWE-862 — Missing Authorization5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 98.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Typo3 Cms-redirects

Timeline

PublishedJan 13

Description

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagisttypo3/cms-redirects14.0.0 — 14.0.2+4

▶NVDtypo3/typo310.0.0 — 10.4.55+4

▶CVEListV5typo3/typo3_cms10.0.0 — 10.4.55+4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

TYPO3 CMS Allows Broken Access Control in Redirects Module↗2026-01-13

▶

CVEList

TYPO3 CMS Allows Broken Access Control in Redirects Module↗2026-01-13

▶

GHSA

TYPO3 CMS Allows Broken Access Control in Redirects Module↗2026-01-13

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59021 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶