TYPO3 CMS has Broken Access Control in its Media Module

🗓️ 12 Jun 2026 19:09:30Reported by GitHub Advisory DatabaseType

TYPO3 Media Module had broken access control exposing files via fallback storage; fixed in 11.5.51,12.4.46,13.4.31,14.3.3.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2026-49742	10 Jun 202603:07	–	circl
CVE	CVE-2026-49742	9 Jun 202610:54	–	cve
Cvelist	CVE-2026-49742 TYPO3 CMS - Broken Access Control in Media Module	9 Jun 202610:54	–	cvelist
EUVD	EUVD-2026-35403	12 Jun 202619:09	–	euvd
Friends Of PHP	TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module	9 Jun 202608:59	–	friendsofphp
NVD	CVE-2026-49742	9 Jun 202611:16	–	nvd
OSV	GHSA-CHM7-4VCH-H8VR TYPO3 CMS has Broken Access Control in its Media Module	12 Jun 202619:09	–	osv
Positive Technologies	PT-2026-47749	9 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-49742	10 Jun 202614:59	–	redhatcve
Vulnrichment	CVE-2026-49742 TYPO3 CMS - Broken Access Control in Media Module	9 Jun 202610:54	–	vulnrichment

Vulners

Node

typo3 cms-filelistRange14.0.0–14.3.3composer

typo3 cms-filelistRange13.0.0–13.4.31composer

typo3 cms-filelistRange12.0.0–12.4.46composer

typo3 cms-filelistRange11.0.0–11.5.51composer

typo3 cms-coreRange14.0.0–14.3.3composer

typo3 cms-coreRange13.0.0–13.4.31composer

typo3 cms-coreRange12.0.0–12.4.46composer

typo3 cms-coreRange11.0.0–11.5.51composer

Source	Link
github	www.github.com/TYPO3/typo3/security/advisories/GHSA-chm7-4vch-h8vr
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-49742
github	www.github.com/TYPO3/typo3/commit/ad636b6183843b57c758a1e12174a75093ac93c3
github	www.github.com/TYPO3/typo3/commit/caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae
github	www.github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49742.yaml
typo3	www.typo3.org/security/advisory/typo3-core-sa-2026-013
github	www.github.com/advisories/GHSA-chm7-4vch-h8vr

12 Jun 2026 19:09Current

5.2Medium risk

Vulners AI Score5.2

CVSS 47.1

EPSS0.00036

SSVC