TYPO3 CMS has Broken Access Control in the Recycler Module

🗓️ 12 Jun 2026 20:08:04Reported by GitHub Advisory DatabaseType

Recycler module allowed restoring records beyond user permissions; update TYPO3 to fixed versions.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2026-47349	10 Jun 202613:15	–	circl
CVE	CVE-2026-47349	9 Jun 202610:51	–	cve
Cvelist	CVE-2026-47349 TYPO3 CMS - Broken Access Control in Recycler	9 Jun 202610:51	–	cvelist
EUVD	EUVD-2026-35396	12 Jun 202620:08	–	euvd
Friends Of PHP	TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler	9 Jun 202608:58	–	friendsofphp
NVD	CVE-2026-47349	9 Jun 202611:16	–	nvd
OSV	GHSA-F34X-RX2W-7PM3 TYPO3 CMS has Broken Access Control in the Recycler Module	12 Jun 202620:08	–	osv
Positive Technologies	PT-2026-47742	9 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-47349	10 Jun 202615:00	–	redhatcve
Vulnrichment	CVE-2026-47349 TYPO3 CMS - Broken Access Control in Recycler	9 Jun 202610:51	–	vulnrichment

Vulners

Node

typo3 cms-recyclerRange14.0.0–14.3.3composer

typo3 cms-recyclerRange13.0.0–13.4.31composer

typo3 cms-recyclerRange12.0.0–12.4.46composer

typo3 cms-recyclerRange11.0.0–11.5.51composer

typo3 cms-recyclerRange<10.4.57composer

typo3 cms-coreRange14.0.0–14.3.3composer

typo3 cms-coreRange13.0.0–13.4.31composer

typo3 cms-coreRange12.0.0–12.4.46composer

typo3 cms-coreRange11.0.0–11.5.51composer

typo3 cms-coreRange<10.4.57composer

Source	Link
github	www.github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-47349
github	www.github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8
github	www.github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a
github	www.github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47349.yaml
typo3	www.typo3.org/security/advisory/typo3-core-sa-2026-011
github	www.github.com/advisories/GHSA-f34x-rx2w-7pm3

12 Jun 2026 20:08Current

5.2Medium risk

Vulners AI Score5.2

CVSS 45.3

EPSS0.00036

SSVC