Typo3 Cms vulnerabilities
32 known vulnerabilities affecting typo3/typo3_cms.
Total CVEs
32
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH12MEDIUM16LOW3
Vulnerabilities
Page 1 of 2
CVE-2020-15098P2HIGHCVSS 8.8v>= 9.0.0, < 9.5.20v>= 10.0.0, 10.4.62020-07-29
CVE-2020-15098 [HIGH] CWE-20 CVE-2020-15098: In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to
nvd
CVE-2025-59017P3HIGHCVSS 8.8≥ 9.0.0, < 9.5.55≥ 10.0.0, < 10.4.54+3 more2025-09-09
CVE-2025-59017 [HIGH] CWE-862 CVE-2025-59017: Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.
nvd
CVE-2020-11066P3CRITICALCVSS 10.0v>= 9.0.0, < 9.5.17v>= 10.0.0, < 10.4.22020-05-14
CVE-2020-11066 [CRITICAL] CWE-915 CVE-2020-11066: In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable f
nvd
CVE-2026-49741P3HIGHCVSS 8.7≥ 14.0.0, < 14.3.32026-06-09
CVE-2026-49741 [HIGH] CWE-89 CVE-2026-49741: Backend users with write access to the form_definition database table were able to directly create,
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-
nvd
CVE-2026-47346P3HIGHCVSS 7.6fixed in 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-09
CVE-2026-47346 [HIGH] CWE-178 CVE-2026-47346: Backend users with file write permissions were able to upload form definition files with mixed-case
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user
nvd
CVE-2020-11067P3HIGHCVSS 8.8v>= 9.0.0, < 9.5.17v>= 10.0.0, < 10.4.22020-05-14
CVE-2020-11067 [HIGH] CWE-502 CVE-2020-11067: In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend use
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This ha
nvd
CVE-2020-15099P3HIGHCVSS 8.1v>= 9.0.0, < 9.5.20v>= 10.0.0, 10.4.62020-07-29
CVE-2020-15099 [HIGH] CWE-20 CVE-2020-15099: In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible
nvd
CVE-2025-59022P3HIGHCVSS 8.1≥ 10.0.0, < 10.4.55≥ 11.0.0, < 11.5.49+3 more2026-01-13
CVE-2025-59022 [HIGH] CWE-862 CVE-2025-59022: Backend users who had access to the recycler module could delete arbitrary data from any database ta
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4
nvd
CVE-2026-11607P3HIGHCVSS 7.6fixed in 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-09
CVE-2026-11607 [HIGH] CWE-862 CVE-2026-11607: Backend users with access to the Form Framework were able to use files not ending in .form.yaml as f
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend u
nvd
CVE-2026-47343P3HIGHCVSS 7.2fixed in 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-09
CVE-2026-47343 [HIGH] CWE-862 CVE-2026-47343: Non-privileged backend users with file mount access were able to perform write operations (move, del
Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 thr
nvd
CVE-2026-0859P3HIGHCVSS 7.8≥ 10.0.0, < 10.4.55≥ 11.0.0, < 11.5.49+3 more2026-01-13
CVE-2026-0859 [HIGH] CWE-502 CVE-2026-0859: TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directo
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-1
nvd
CVE-2025-59020P3MEDIUMCVSS 6.5≥ 10.0.0, < 10.4.55≥ 11.0.0, < 11.5.49+3 more2026-01-13
CVE-2025-59020 [MEDIUM] CWE-863 CVE-2025-59020: By exploiting the defVals parameter, attackers could bypass field‑level access checks during record
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.
nvd
CVE-2026-6553P3HIGHCVSS 7.5≥ 14.2.0, < 14.3.02026-04-21
CVE-2026-6553 [HIGH] CWE-312 CVE-2026-6553: Changing backend users' passwords via the user settings module results in storing the cleartext pass
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
nvd
CVE-2026-49742P3HIGHCVSS 7.1≥ 11.0.0, < 11.5.51≥ 12.0.0, < 12.4.46+2 more2026-06-09
CVE-2026-49742 [HIGH] CWE-22 CVE-2026-49742: Backend users with file download permissions were able to download files from the fallback storage o
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-1
nvd
CVE-2025-59021P3MEDIUMCVSS 6.4≥ 10.0.0, < 10.4.55≥ 11.0.0, < 11.5.49+3 more2026-01-13
CVE-2025-59021 [MEDIUM] CWE-862 CVE-2025-59021: Backend users with access to the redirects module and write permission on the sys_redirect table wer
Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect
nvd
CVE-2025-59018P3MEDIUMCVSS 6.5≥ 9.0.0, < 9.5.55≥ 10.0.0, < 10.4.54+3 more2025-09-09
CVE-2025-59018 [MEDIUM] CWE-200 CVE-2025-59018: Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
nvd
CVE-2026-49740P3MEDIUMCVSS 6.3fixed in 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-09
CVE-2026-49740 [MEDIUM] CWE-502 CVE-2026-49740: TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP
TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, poten
nvd
CVE-2026-47352P3MEDIUMCVSS 5.3fixed in 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-09
CVE-2026-47352 [MEDIUM] CWE-862 CVE-2026-47352: Authenticated backend users were able to retrieve file metadata via several Backend API routes witho
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
nvd
CVE-2025-59015P3MEDIUMCVSS 6.5≥ 12.0.0, < 12.4.37≥ 13.0.0, < 13.4.182025-09-09
CVE-2025-59015 [MEDIUM] CWE-331 CVE-2025-59015: A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.
nvd
CVE-2026-47349P3MEDIUMCVSS 5.3fixed in 10.4.57≥ 11.0.0, < 11.5.51+3 more2026-06-09
CVE-2026-47349 [MEDIUM] CWE-862 CVE-2026-47349: Backend users with access to the Recycler module were able to restore soft-deleted records on pages
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
nvd
1 / 2Next →