CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 7 hours ago•5 views

EUVD-2026-35399

Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...

EUVD•added 7 hours ago•4 views

EUVD-2026-35396

Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3...

CVE•added 7 hours ago•8 views

CVE-2026-47347

CVE-2026-47347 affects TYPO3 CMS where GeneralUtility::sanitizeLocalUrl can be bypassed, enabling an open redirect if a URL is used after sanitization. Affected versions are older: 10.4.57, 11.0.0–11.5.50, 12.0.0–12.4.45, 13.0.0–13.4.30, and 14.0.0–14.3.2. The CVE entry notes the impact as open r...

EUVD•added 7 hours ago•4 views

EUVD-2026-35392

Non-privileged backend users with file mount access were able to perform write operations move, delete, rename on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0...

7.2CVSS5.5AI score

Positive Technologies•added 18 hours ago•4 views

PT-2026-47743

Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3...

Positive Technologies•added 18 hours ago•4 views

PT-2026-47748

Backend users with write access to the form definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations,...

8.7CVSS5.7AI score

OSV•added 2026/01/13 12:15 p.m.•2 views

CVE-2025-59022

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...

8.1CVSS6.8AI score

OSV•added 2026/01/13 12:15 p.m.•2 views

CVE-2025-59021

Backend users with access to the redirects module and write permission on the sysredirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs...

6.4CVSS6.9AI score

Positive Technologies•added 2026/01/13 12:0 a.m.•5 views

PT-2026-2476

7.1CVSS6.8AI score0.0002EPSS

Exploits0References8

Positive Technologies•added 2026/01/13 12:0 a.m.•3 views

PT-2026-2475

Backend users with access to the redirects module and write permission on the sys redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URL...

5.3CVSS6.9AI score0.00013EPSS

Exploits0References7

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2010-0381

Malware in sbrugna...

7.5CVSS6.4AI score0.00219EPSS