CVE-2026-47349
published 2026-06-09CVE-2026-47349: Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This…
PriorityP334medium5.3CVSS 4.0
AVNACLATNPRLUINVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.24%
14.7th percentile
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 0 < 10.4.57 | 10.4.57 |
| typo3 | cms-core | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | cms-core | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | cms-core | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-core | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | cms-recycler | >= 0 < 10.4.57 | 10.4.57 |
| typo3 | cms-recycler | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | cms-recycler | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | cms-recycler | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-recycler | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | typo3_cms | < 10.4.57 | 10.4.57 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | typo3_cms | >= 14.0.0 < 14.3.3 | 14.3.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
TYPO3 CMS up to 14.3.2 Recycler authorization (EUVD-2026-35396 / WID-SEC-2026-1835)
vuldb·2026-06-13·CVSS 5.3
CVE-2026-47349 [MEDIUM] TYPO3 CMS up to 14.3.2 Recycler authorization (EUVD-2026-35396 / WID-SEC-2026-1835)
A vulnerability marked as critical has been reported in TYPO3 CMS up to 10.4.56/11.5.50/12.4.45/13.4.30/14.3.2. This impacts an unknown function of the component Recycler Module. This manipulation causes missing authorization.
The identification of this vulnerability is CVE-2026-47349. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
TYPO3 CMS has Broken Access Control in the Recycler Module
ghsa·2026-06-12
CVE-2026-47349 [MEDIUM] CWE-862 TYPO3 CMS has Broken Access Control in the Recycler Module
TYPO3 CMS has Broken Access Control in the Recycler Module
### Problem
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify.
### Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
### Credits
TYPO3 CMS thanks Hyunseo Shin for reporting this issue, and TYPO3 security team member Elias Häußler for fixing it.
### Resources
* [TYPO3-CORE-SA-2026-011](https://typo3.org/security/advisory/typo3-core-sa-2026-011)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-09
Published