cbcvebase.
CVE-2025-59022
published 2026-01-13

CVE-2025-59022: Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had…

PriorityP352high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.38%
29.8th percentile
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Affected

15 ranges
VendorProductVersion rangeFixed in
typo3cms-recycler>= 10.0.0 < 10.4.5510.4.55
typo3cms-recycler>= 11.0.0 < 11.5.4911.5.49
typo3cms-recycler>= 12.0.0 < 12.4.4112.4.41
typo3cms-recycler>= 13.0.0 < 13.4.2313.4.23
typo3cms-recycler>= 14.0.0 < 14.0.214.0.2
typo3typo3>= 10.0.0 < 10.4.5510.4.55
typo3typo3>= 11.0.0 < 11.5.4911.5.49
typo3typo3>= 12.0.0 < 12.4.4112.4.41
typo3typo3>= 13.0.0 < 13.4.2313.4.23
typo3typo3>= 14.0.0 < 14.0.214.0.2
typo3typo3_cms>= 10.0.0 < 10.4.5510.4.55
typo3typo3_cms>= 11.0.0 < 11.5.4911.5.49
typo3typo3_cms>= 12.0.0 < 12.4.4112.4.41
typo3typo3_cms>= 13.0.0 < 13.4.2313.4.23
typo3typo3_cms>= 14.0.0 < 14.0.214.0.2

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.