VYPR

Packagist (Composer) package

typo3/cms-core

pkg:composer/typo3/cms-core

Vulnerabilities (92)

  • CVE-2026-49741HigJun 9, 2026
    affected >= 14.0.0, < 14.3.3fixed 14.3.3

    Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form config

  • CVE-2026-47350MedJun 9, 2026
    affected >= 13.0.0, < 13.4.31fixed 13.4.31

    Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.

  • CVE-2026-47349MedJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

  • CVE-2026-47347MedJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishi

  • CVE-2026-47346HigJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing

  • CVE-2026-47343HigJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 throug

  • CVE-2026-11607HigJun 9, 2026
    affected < 10.4.57fixed 10.4.57

    Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allow

  • CVE-2026-0859Jan 13, 2026
    affected >= 14.0.0, < 14.0.2fixed 14.0.2

    TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions

  • CVE-2025-59016MedSep 9, 2025
    affected >= 9.0.0, < 12.4.37fixed 12.4.37

    Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

  • CVE-2025-59015MedSep 9, 2025
    affected >= 12.0.0, < 12.4.37fixed 12.4.37

    A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

  • CVE-2025-59013MedSep 9, 2025
    affected >= 9.0.0, < 12.4.37fixed 12.4.37

    An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated,

  • CVE-2025-47940HigMay 20, 2025
    affected >= 10.4.0, < 10.4.50fixed 10.4.50

    TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and ga

  • CVE-2025-47939MedMay 20, 2025
    affected >= 9.0.0, < 9.5.51fixed 9.5.51

    TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This l

  • CVE-2025-47938LowMay 20, 2025
    affected >= 9.0.0, < 9.5.51fixed 9.5.51

    TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current pas

  • CVE-2025-47937LowMay 20, 2025
    affected >= 9.0.0, < 9.5.51fixed 9.5.51

    TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction lay

  • CVE-2024-55892MedJan 14, 2025
    affected >= 9.0.0, < 9.5.49fixed 9.5.49

    TYPO3 is a free and open source Content Management Framework. Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is u

  • CVE-2024-34358MedMay 14, 2024
    affected >= 9.0.0, < 9.5.48fixed 9.5.48

    TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query par

  • CVE-2024-34357MedMay 14, 2024
    affected >= 9.0.0, < 9.5.48fixed 9.5.48

    TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`

  • CVE-2024-34356MedMay 14, 2024
    affected >= 9.0.0, < 9.5.48fixed 9.5.48

    TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid

  • CVE-2024-34355LowMay 14, 2024
    affected >= 13.0.0, < 13.1.1fixed 13.1.1

    TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject ma

Page 1 of 5