EUVD-2026-35396

TYPO3 CMS has Broken Access Control in the Recycler Module...

EUVD-2026-35392

TYPO3 CMS: Destructive Actions on File Mount Folders...

GHSA-JF56-V8JC-JCC5 TYPO3 CMS has Broken Access Control in its File Abstraction Layer

Problem The path allowance check in GeneralUtility::isAllowedAbsPath performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html...

EUVD-2026-35399

TYPO3 CMS has Broken Access Control in Backend API...

CVE-2026-11607

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to...

CVE-2026-47347

CVE-2026-47347 affects TYPO3 CMS where GeneralUtility::sanitizeLocalUrl can be bypassed, enabling an open redirect if a URL is used after sanitization. Affected versions are older: 10.4.57, 11.0.0–11.5.50, 12.0.0–12.4.45, 13.0.0–13.4.30, and 14.0.0–14.3.2. The CVE entry notes the impact as open r...

TYPO3 CMS 安全漏洞

TYPO3 CMS is a content management system developed under the TYPO3 open source project. Versions 13.0.0–13.4.31 and 14.0.0–14.3.3 of TYPO3 CMS have security vulnerabilities. These vulnerabilities stem from the ability of users at the backend to move records to different pages without the necessar...

PT-2026-47748

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 14.0.0 through 14.3.3 Description Backend users with write access to the form definition database table can directly create, update, or delete form definition records using the DataHandler. This process bypasses the Form...

PT-2026-47743

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 Description Backend users can move records to a different page even if they lack the necessary edit permissions on the source page. Recommendations Update TYPO3...

CVE-2025-59022

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...

CVE-2025-59021

Backend users with access to the redirects module and write permission on the sysredirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs...

PT-2026-2476

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...

PT-2026-2475

Backend users with access to the redirects module and write permission on the sys redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URL...

EUVD-2009-0264

Malware in sbrugna...

EUVD-2010-0381

Malware in sbrugna...

EUVD-2022-5131

Malicious code in bioql PyPI...

EUVD-2022-1633

Malicious code in bioql PyPI...

EUVD-2022-5016

Malicious code in bioql PyPI...

EUVD-2022-3092

Malicious code in bioql PyPI...

EUVD-2022-1618

Malicious code in bioql PyPI...