Typo3 Cms-Core vulnerabilities

CVE-2026-0859 [MEDIUM] CWE-502 TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool ### Problem Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server. The vulnerability is triggered when TYPO3 is confi

CVE-2025-59016 [MEDIUM] CWE-209 TYPO3 CMS exposes sensitive information in an error message TYPO3 CMS exposes sensitive information in an error message Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

CVE-2025-59015 [MEDIUM] CWE-331 TYPO3 CMS uses insufficient entropy when generating passwords TYPO3 CMS uses insufficient entropy when generating passwords A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

CVE-2025-59013 [MEDIUM] CWE-601 TYPO3 CMS has an open‑redirect vulnerability TYPO3 CMS has an open‑redirect vulnerability An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

CVE-2025-47940 [HIGH] CWE-283 TYPO3 Allows Privilege Escalation to System Maintainer TYPO3 Allows Privilege Escalation to System Maintainer ### Problem Administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. ### Solution Update to TYPO3 versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. ### Credits Than

CVE-2025-47939 [MEDIUM] CWE-351 TYPO3 Allows Unrestricted File Upload in File Abstraction Layer TYPO3 Allows Unrestricted File Upload in File Abstraction Layer ### Problem By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as execu

CVE-2025-47938 [LOW] CWE-620 TYPO3 Unverified Password Change for Backend Users TYPO3 Unverified Password Change for Backend Users ### Problem The backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an adm

CVE-2025-47937 [LOW] CWE-863 TYPO3 Allows Information Disclosure via DBAL Restriction Handling TYPO3 Allows Information Disclosure via DBAL Restriction Handling ### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. ###

CVE-2024-55892 [MEDIUM] CWE-601 TYPO3 Potential Open Redirect via Parsing Differences TYPO3 Potential Open Redirect via Parsing Differences ### Problem Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. ### Solution Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25

CVE-2024-34356 [MEDIUM] CWE-79 TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module ### Problem The form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 that fix the problem described. ### Credits Thank

CVE-2024-34357 [MEDIUM] CWE-79 TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController ### Problem Failing to properly encode user-controlled values in file entities, the `ShowImageController` (_eID tx_cms_showpic_) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. ### Solution Update to TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS,

CVE-2024-34358 [MEDIUM] CWE-200 TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController ### Problem The `ShowImageController` (_eID tx_cms_showpic_) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on t

CVE-2024-34355 [LOW] CWE-116 TYPO3 vulnerable to an HTML Injection in the History Module TYPO3 vulnerable to an HTML Injection in the History Module ### Problem The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 version 13.1.1 that fixes the problem descri

CVE-2024-25121 [HIGH] CWE-200 TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler ### Problem Entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage")

CVE-2024-22188 [HIGH] CWE-77 TYPO3 Install Tool vulnerable to Code Execution TYPO3 Install Tool vulnerable to Code Execution ### Problem Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protec

CVE-2023-30451 [MEDIUM] CWE-22 Path Traversal in TYPO3 File Abstraction Layer Storages Path Traversal in TYPO3 File Abstraction Layer Storages ### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exp

CVE-2024-25120 [MEDIUM] CWE-200 TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme ### Problem The TYPO3-specific [`t3://` URI scheme](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references) could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (alth

CVE-2024-25118 [MEDIUM] CWE-200 TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords ### Problem Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS,

CVE-2024-25119 [MEDIUM] CWE-200 TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key ### Problem The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability r

CVE-2023-47127 [MEDIUM] CWE-287 TYPO3 vulnerable to Weak Authentication in Session Handling TYPO3 vulnerable to Weak Authentication in Session Handling > ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:O/RC:C` (4.0) ### Problem Given that there are at least two different sites in the same TYPO3 installation - for instance _first.example.org_ and _second.example.com_ - then a session cookie generated for the first site can be reused on the second site without requiring additional