Cleartext Storage of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the SetupModuleController module merging entity data with user-interface settings before storing them in DB. An attacker can obtain sensitive user credentials by accessing the uc and...

CVE-2025-59020

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced s...

CVE-2025-59020

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced s...

EUVD-2009-4674

Malware in sbrugna...

EUVD-2025-27228

Malicious code in bioql PyPI...

EUVD-2022-1993

Malicious code in bioql PyPI...

CVE-2025-59017

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules...

TYPO3 backend modules have Broken Access Control

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to inconsistent checks in the backend routing. An attacker can gain unauthorized access to backend AJAX routes by directly invoking them without proper permissions. Note: Additional fixed versions are available...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization for the CSV download process. An attacker can access sensitive information from arbitrary database tables in the user's web mounts. Notes: - This vulnerability is limited to database records that fell within the pa...

CVE-2025-59017

CVE-2025-59017 reports missing authorization checks in TYPO3 CMS backend routing: backend users can directly invoke AJAX backend routes without access to the corresponding backend modules. Affected versions are 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17. The ...

PT-2025-36693

Name of the Vulnerable Software and Affected Versions: TYPO3 CMS versions 9.0.0 through 9.5.54 TYPO3 CMS versions 10.0.0 through 10.4.53 TYPO3 CMS versions 11.0.0 through 11.5.47 TYPO3 CMS versions 12.0.0 through 12.4.36 TYPO3 CMS versions 13.0.0 through 13.4.17 Description: The Backend Routing...

Cross-Site Scripting (XSS)

clickstorm/cs-seo is vulnerable to cross-site scripting XSS. The vulnerability is due to improper handling of data in the JSON-LD output, allows an attacker to execute arbitrary JavaScript code in the context of the affected TYPO3 backend session...

CVE-2024-55920

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery CSRF. Additionally, state-changing actions in downstrea...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to insufficient enforcement of access restrictions on all backend routes. An attacker can bypass the multifactor authentication MFA dialog presented during backend login by...

Cross-site Scripting (XSS)

codingms/additional-tca is vulnerable to cross-site scripting XSS. The vulnerability is due to improper input encoding due to a logged-in backend user being able to inject HTML content through the TYPO3 backend user interface, leading to potential XSS attacks...

Clickstorm SEO Allows Cross-Site Scripting (XSS)

A cross-site scripting XSS vulnerability has been discovered in the Clickstorm SEO extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly encoded user input. Update...

GHSA-VMGW-24W6-9V82 Clickstorm SEO Allows Cross-Site Scripting (XSS)

A cross-site scripting XSS vulnerability has been discovered in the Clickstorm SEO extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly encoded user input. Update...

Additional TCA Allows Cross-Site Scripting (XSS)

A cross-site scripting XSS vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly encoded user input. Update...

TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery CSRF. Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP...