TYPO3 CMS: Thirteen Backend Vulnerabilities Disclosed on June 9, 2026

Key findings

• Thirteen backend vulnerabilities in TYPO3 CMS disclosed simultaneously on June 9, 2026.
• High severity flaws include unauthorized file access and arbitrary SQL execution via form definitions.
• Several vulnerabilities allow authenticated users to bypass permissions for file and data manipulation.
• Issues affect various TYPO3 CMS versions, with patches available.
• Risks range from sensitive file exposure to privilege escalation and open redirects.

On June 9, 2026, a batch of thirteen security vulnerabilities was disclosed for the TYPO3 Content Management System (CMS), affecting its backend functionalities. These issues, ranging in severity from low to high, primarily impact authenticated users with various levels of access, potentially leading to unauthorized file access, data manipulation, and privilege escalation.

Several vulnerabilities center around the handling of files and form definitions within the TYPO3 backend. CVE-2026-49742, a High severity flaw, allowed backend users with file download permissions to access sensitive files from fallback storage via the Media Module by resolving paths relative to the server's document root. Similarly, CVE-2026-47343, also High severity, permitted non-privileged backend users with file mount access to perform write operations on the root of an active file mount due to missing authorization checks. Another High severity vulnerability, CVE-2026-47346, enabled backend users with file write permissions to bypass upload restrictions for form definition files by using mixed-case extensions, potentially leading to arbitrary SQL statement execution. CVE-2026-11607, also High severity, allowed backend users with Form Framework access to use files not ending in .form.yaml as form definitions, again enabling arbitrary SQL execution.

Data integrity and access control are further compromised by several other disclosed vulnerabilities. CVE-2026-49741, a High severity issue, allowed backend users with write access to the form_definition database table to directly manipulate form definitions via DataHandler, bypassing validation and permission checks, which could lead to the injection of arbitrary form configurations. CVE-2026-47351 (Medium) permitted backend users to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, enabling information gathering on unauthorized records and files. CVE-2026-47349 (Medium) allowed backend users with access to the Recycler module to restore soft-deleted records on pages or for tables they were not authorized to modify.

Other vulnerabilities disclosed include CVE-2026-47350 (Medium), where backend users could move records to different pages without edit permissions on the source page. CVE-2026-47352 (Medium) allowed authenticated backend users to retrieve file metadata via Backend API routes without proper permission checks, potentially exposing files outside their permitted mounts. CVE-2026-49740 (Medium) involved the deserialization of PHP payloads without integrity validation in the cache frontend and persistent key-value store, allowing attackers with write access to inject crafted serialized payloads. CVE-2026-47347 (Medium) presented an open redirect vulnerability in applications using GeneralUtility::sanitizeLocalUrl if the URL was used after sanitization, enabling phishing attacks. Finally, CVE-2026-49738 (Low) was a path allowance check flaw in GeneralUtility::isAllowedAbsPath() that could incorrectly accept invalid paths.

TYPO3 has provided patches for these vulnerabilities. Specific affected versions vary by CVE, but generally include versions prior to 10.4.57, 11.5.51, 12.4.46, 13.4.31, and 14.3.x, with some exceptions noted in the individual CVE descriptions. Users are strongly advised to consult the official TYPO3 security advisories and apply the necessary updates to mitigate these risks. The coordinated disclosure of these thirteen vulnerabilities highlights the importance of regular security audits and prompt patching for TYPO3 installations to protect against potential backend compromises.