cbcvebase.
CVE-2026-49742
published 2026-06-09

CVE-2026-49742: Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module…

PriorityP342high7.1CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.31%
23.0th percentile
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Affected

12 ranges
VendorProductVersion rangeFixed in
typo3cms-core>= 11.0.0 < 11.5.5111.5.51
typo3cms-core>= 12.0.0 < 12.4.4612.4.46
typo3cms-core>= 13.0.0 < 13.4.3113.4.31
typo3cms-core>= 14.0.0 < 14.3.314.3.3
typo3cms-filelist>= 11.0.0 < 11.5.5111.5.51
typo3cms-filelist>= 12.0.0 < 12.4.4612.4.46
typo3cms-filelist>= 13.0.0 < 13.4.3113.4.31
typo3cms-filelist>= 14.0.0 < 14.3.314.3.3
typo3typo3_cms>= 11.0.0 < 11.5.5111.5.51
typo3typo3_cms>= 12.0.0 < 12.4.4612.4.46
typo3typo3_cms>= 13.0.0 < 13.4.3113.4.31
typo3typo3_cms>= 14.0.0 < 14.3.314.3.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.