CVE-2025-47937

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer DBAL, frontend...

PT-2025-22368

Name of the Vulnerable Software and Affected Versions sr feuser register extension for TYPO3 versions through 12.4.8 Description The issue allows remote code execution via unsafe deserialization. There is no information provided about the estimated number of potentially affected devices worldwide...

CVE-2024-55922

CVE-2024-55922 is a CSRF vulnerability in TYPO3’s backend UI deep-link functionality affecting the Form Framework Module. The issue allows an attacker to manipulate or delete persisted form definitions when a victim with an active backend session is deceived into visiting a malicious URL. Conditi...

PT-2025-3160 · Typo3 · Typo3

Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 11.5.42 ELTS Description: A vulnerability has been identified in the backend user interface functionality involving deep links, which is susceptible to Cross-Site Request Forgery CSRF. State-changing actions in...

GHSA-2R6J-862C-M2V2 Unrestricted File Upload in Form Framework

Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php. TYPO3 Extbase extensions, which implement ...