VYPR
Moderate severityOSV Advisory· Published Jan 13, 2026· Updated Jan 13, 2026

TYPO3 CMS Allows Broken Access Control in Redirects Module

CVE-2025-59021

Description

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-redirectsPackagist
>= 14.0.0, < 14.0.214.0.2
typo3/cms-redirectsPackagist
>= 13.0.0, < 13.4.2313.4.23
typo3/cms-redirectsPackagist
>= 12.0.0, < 12.4.4112.4.41
typo3/cms-redirectsPackagist
>= 11.0.0, < 11.5.4911.5.49
typo3/cms-redirectsPackagist
>= 10.0.0, < 10.4.5510.4.55

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.