Typo3 Cms-Core vulnerabilities
98 known vulnerabilities affecting typo3/cms-core.
Total CVEs
98
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH26MEDIUM64LOW8
Vulnerabilities
Page 1 of 5
CVE-2020-15098P2HIGHCVSS 8.1≥ 9.0.0, < 9.5.20≥ 10.0.0, < 10.4.62020-07-29
CVE-2020-15098 [HIGH] CWE-20 Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (8.2)
> * CWE-325, CWE-20, CWE-200, CWE-502
### Problem
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data
ghsaosv
CVE-2020-11066P3HIGH≥ 9.0.0, < 9.5.17≥ 10.0.0, < 10.4.22020-05-13
CVE-2020-11066 [HIGH] CWE-1321 Class destructors causing side-effects when being unserialized in TYPO3 CMS
Class destructors causing side-effects when being unserialized in TYPO3 CMS
Calling unserialize() on malicious user-submitted content can result in the following scenarios:
- trigger deletion of arbitrary directory in file system (if writable for web server)
- trigger message submission via email using identity of web site (mail relay)
Another insecure deserialization vulnerability is req
ghsaosv
CVE-2026-49741P3HIGH≥ 14.0.0, < 14.3.32026-06-12
CVE-2026-49741 [HIGH] CWE-862 TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework
TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework
### Problem
Backend users with write access to the `form_definition` database table were able to directly create, update, or delete form definition records via `DataHandler`, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attac
ghsa
CVE-2023-30451P4MEDIUMPoC≥ 8.0.0, < 8.7.57≥ 9.0.0, < 9.5.46+4 more2024-02-13
CVE-2023-30451 [MEDIUM] CWE-22 Path Traversal in TYPO3 File Abstraction Layer Storages
Path Traversal in TYPO3 File Abstraction Layer Storages
### Problem
Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exp
ghsaosv
CVE-2026-47346P3HIGH≥ 0, < 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-12
CVE-2026-47346 [HIGH] CWE-178 TYPO3 CMS has Broken Access Control in its Form Framework
TYPO3 CMS has Broken Access Control in its Form Framework
### Problem
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., `.FORM.YAML`) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrativ
ghsa
CVE-2020-11067P3HIGH≥ 9.0.0, < 9.5.17≥ 10.0.0, < 10.4.22020-05-13
CVE-2020-11067 [HIGH] CWE-502 Insecure Deserialization in Backend User Settings in TYPO3 CMS
Insecure Deserialization in Backend User Settings in TYPO3 CMS
It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.
Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the probl
ghsaosv
CVE-2020-15099P3HIGH≥ 9.0.0, < 9.5.20≥ 10.0.0, < 10.4.62020-07-29
CVE-2020-15099 [HIGH] CWE-20 Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (7.5)
> * CWE-20, CWE-200
### Problem
In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal _encryptionKey_ was expose
ghsaosv
CVE-2021-21355P3HIGH≥ 10.0.0, < 10.4.14≥ 11.0.0, < 11.1.1+1 more2021-03-23
CVE-2021-21355 [HIGH] CWE-434 Unrestricted File Upload in Form Framework
Unrestricted File Upload in Form Framework
### Problem
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_.
TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform up
ghsaosv
CVE-2022-23503P3HIGH≥ 8.0.0, < 8.7.49≥ 9.0.0, < 9.5.38+3 more2022-12-13
CVE-2022-23503 [HIGH] CWE-94 TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework
TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework
### Problem
Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code.
The existence of individual TypoScript instructions for a particular form item (known as [`formDefini
ghsaosv
CVE-2024-22188P3HIGH≥ 8.0.0, < 8.7.57≥ 9.0.0, < 9.5.46+4 more2024-02-13
CVE-2024-22188 [HIGH] CWE-77 TYPO3 Install Tool vulnerable to Code Execution
TYPO3 Install Tool vulnerable to Code Execution
### Problem
Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions.
The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protec
ghsaosv
CVE-2026-11607P3HIGH≥ 0, < 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-12
CVE-2026-11607 [HIGH] CWE-862 TYPO3 CMS has Broken Access Control in its Form Framework
TYPO3 CMS has Broken Access Control in its Form Framework
### Problem
Backend users with access to the Form Framework were able to use files not ending in `.form.yaml` as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administra
ghsa
CVE-2021-21357P3HIGH≥ 10.0.0, < 10.4.14≥ 11.0.0, < 11.1.1+1 more2021-03-23
CVE-2021-21357 [HIGH] CWE-20 Broken Access Control in Form Framework
Broken Access Control in Form Framework
### Problem
Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework.
In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _
ghsaosv
CVE-2026-47343P3HIGH≥ 0, < 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-12
CVE-2026-47343 [HIGH] CWE-862 TYPO3 CMS: Destructive Actions on File Mount Folders
TYPO3 CMS: Destructive Actions on File Mount Folders
### Problem
Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions.
### Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
ghsa
CVE-2025-47940P3HIGH≥ 10.4.0, < 10.4.50≥ 11.0.0, < 11.5.44+2 more2025-05-20
CVE-2025-47940 [HIGH] CWE-283 TYPO3 Allows Privilege Escalation to System Maintainer
TYPO3 Allows Privilege Escalation to System Maintainer
### Problem
Administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account.
### Solution
Update to TYPO3 versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.
### Credits
Than
ghsaosv
CVE-2026-0859P3MEDIUM≥ 14.0.0, < 14.0.2≥ 13.0.0, < 13.4.23+3 more2026-01-13
CVE-2026-0859 [MEDIUM] CWE-502 TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
### Problem
Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.
The vulnerability is triggered when TYPO3 is confi
ghsaosv
CVE-2019-11832P3HIGH≥ 8.0.0, < 8.7.25≥ 9.0.0, < 9.5.62022-05-24
CVE-2019-11832 [HIGH] CWE-20 TYPO3 Image Processing susceptible to Code Execution
TYPO3 Image Processing susceptible to Code Execution
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 is susceptible to remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.
For a successful exploit, the GhostScript binary `gs` must be available on the server system.
ghsaosv
CVE-2019-12747P3HIGH≥ 8.0.0, < 8.7.27≥ 9.0.0, < 9.5.82022-05-24
CVE-2019-12747 [HIGH] CWE-502 TYPO3 Vulnerable to Insecure Deserialization
TYPO3 Vulnerable to Insecure Deserialization
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
ghsaosv
CVE-2019-19849P3HIGH≥ 10.0.0, < 10.2.1≥ 8.0.0, < 8.7.30+1 more2022-05-24
CVE-2019-19849 [HIGH] CWE-502 TYPO3 Insecure Deserialization in Query Generator & Query View
TYPO3 Insecure Deserialization in Query Generator & Query View
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user
ghsaosv
CVE-2013-1842P3HIGH≥ 4.5.0, < 4.5.24≥ 4.6.0, < 4.6.17+2 more2022-05-17
CVE-2013-1842 [HIGH] CWE-89 TYPO3 SQL injection vulnerability in the Extbase Framework
TYPO3 SQL injection vulnerability in the Extbase Framework
SQL injection vulnerability in the Extbase Framework in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "the Query Object Model and relation values."
ghsaosv
CVE-2022-36104P3HIGHCVSS 7.5≥ 11.4.0, < 11.5.162022-09-16
CVE-2022-36104 [HIGH] CWE-770 TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5)
### Problem
Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itsel
ghsaosv
1 / 5Next →