Packagist (Composer) package

typo3/cms-core

pkg:composer/typo3/cms-core

Vulnerabilities (85)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-0859	—	>= 14.0.0, < 14.0.2	14.0.2	Jan 13, 2026	TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions
CVE-2025-59016	—	>= 9.0.0, < 12.4.37	12.4.37	Sep 9, 2025	Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
CVE-2025-59015	—	>= 12.0.0, < 12.4.37	12.4.37	Sep 9, 2025	A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.
CVE-2025-59013	—	>= 9.0.0, < 12.4.37	12.4.37	Sep 9, 2025	An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated,
CVE-2025-47940	—	>= 10.4.0, < 10.4.50	10.4.50	May 20, 2025	TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and ga
CVE-2025-47939	—	>= 9.0.0, < 9.5.51	9.5.51	May 20, 2025	TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This l
CVE-2025-47938	—	>= 9.0.0, < 9.5.51	9.5.51	May 20, 2025	TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current pas
CVE-2025-47937	—	>= 9.0.0, < 9.5.51	9.5.51	May 20, 2025	TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction lay
CVE-2024-55892	—	>= 9.0.0, < 9.5.49	9.5.49	Jan 14, 2025	TYPO3 is a free and open source Content Management Framework. Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is u
CVE-2024-34358	—	>= 9.0.0, < 9.5.48	9.5.48	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query par
CVE-2024-34357	—	>= 9.0.0, < 9.5.48	9.5.48	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`
CVE-2024-34356	—	>= 9.0.0, < 9.5.48	9.5.48	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid
CVE-2024-34355	—	>= 13.0.0, < 13.1.1	13.1.1	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject ma
CVE-2024-22188	—	>= 8.0.0, < 8.7.57	8.7.57	Mar 5, 2024	TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5
CVE-2024-25118	—	>= 8.0.0, < 8.7.57	8.7.57	Feb 13, 2024	TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiti
CVE-2024-25119	—	>= 8.0.0, < 8.7.57	8.7.57	Feb 13, 2024	TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to genera
CVE-2024-25120	—	>= 8.0.0, < 8.7.57	8.7.57	Feb 13, 2024	TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a vali
CVE-2024-25121	—	>= 8.0.0, < 8.7.57	8.7.57	Feb 13, 2024	TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage
CVE-2023-30451	—	>= 8.0.0, < 8.7.57	8.7.57	Dec 25, 2023	In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][base
CVE-2023-47127	—	>= 8.0.0, < 8.7.55	8.7.55	Nov 14, 2023	TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can b

CVE-2026-0859Jan 13, 2026
affected >= 14.0.0, < 14.0.2fixed 14.0.2
TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions
CVE-2025-59016Sep 9, 2025
affected >= 9.0.0, < 12.4.37fixed 12.4.37
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
CVE-2025-59015Sep 9, 2025
affected >= 12.0.0, < 12.4.37fixed 12.4.37
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.
CVE-2025-59013Sep 9, 2025
affected >= 9.0.0, < 12.4.37fixed 12.4.37
An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated,
CVE-2025-47940May 20, 2025
affected >= 10.4.0, < 10.4.50fixed 10.4.50
TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and ga
CVE-2025-47939May 20, 2025
affected >= 9.0.0, < 9.5.51fixed 9.5.51
TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This l
CVE-2025-47938May 20, 2025
affected >= 9.0.0, < 9.5.51fixed 9.5.51
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current pas
CVE-2025-47937May 20, 2025
affected >= 9.0.0, < 9.5.51fixed 9.5.51
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction lay
CVE-2024-55892Jan 14, 2025
affected >= 9.0.0, < 9.5.49fixed 9.5.49
TYPO3 is a free and open source Content Management Framework. Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is u
CVE-2024-34358May 14, 2024
affected >= 9.0.0, < 9.5.48fixed 9.5.48
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query par
CVE-2024-34357May 14, 2024
affected >= 9.0.0, < 9.5.48fixed 9.5.48
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`
CVE-2024-34356May 14, 2024
affected >= 9.0.0, < 9.5.48fixed 9.5.48
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid
CVE-2024-34355May 14, 2024
affected >= 13.0.0, < 13.1.1fixed 13.1.1
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject ma
CVE-2024-22188Mar 5, 2024
affected >= 8.0.0, < 8.7.57fixed 8.7.57
TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5
CVE-2024-25118Feb 13, 2024
affected >= 8.0.0, < 8.7.57fixed 8.7.57
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiti
CVE-2024-25119Feb 13, 2024
affected >= 8.0.0, < 8.7.57fixed 8.7.57
TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to genera
CVE-2024-25120Feb 13, 2024
affected >= 8.0.0, < 8.7.57fixed 8.7.57
TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a vali
CVE-2024-25121Feb 13, 2024
affected >= 8.0.0, < 8.7.57fixed 8.7.57
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage
CVE-2023-30451Dec 25, 2023
affected >= 8.0.0, < 8.7.57fixed 8.7.57
In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][base
CVE-2023-47127Nov 14, 2023
affected >= 8.0.0, < 8.7.55fixed 8.7.55
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can b

Page 1 of 5