CVE-2026-48189 Bypass DedicatedAgentToCustomerGroups Setting

An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: 7.0.X 8.0.X 2023.X...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the backend account management in FormController. An attacker can gain unauthorized access to higher privilege levels by sending specially crafted requests while authenticated as a...

CVE-2022-23503

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible t...

CVE-2025-14837

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

EUVD-2025-116206

Malicious code in backend-ursa-achernar-react-bootstrap npm...

EUVD-2021-0593

Malware in sbrugna...

EUVD-2021-0722

Malware in sbrugna...

EUVD-2024-1790

Malicious code in bioql PyPI...

GHSA-463C-JHP2-4MM7 The Backup Plus extension for TYPO3 (ns_backup) allows command injections

The nsbackup extension through 13.0.0 for TYPO3 allows command injection when creating a backup. An authenticated backend user with access to the extensions backend module is required to exploit the vulnerability...

TYPO3 Cross-Site Scripting in Filelist Module

It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences. Access to the file system of the server - either directly or through synchronization - is required to exploit the...

GHSA-G7HW-JH4P-75WR TYPO3 Cross-Site Scripting in Filelist Module

It has been discovered that the output table listing in the “Files” backend module is vulnerable to cross-site scripting when a file extension contains malicious sequences. Access to the file system of the server - either directly or through synchronization - is required to exploit the...

PT-2024-40142 · Packagist · Typo3/Cms-Core

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: A cross-site scripting issue has been found in the output table listing of the "Files" backend module. This occurs when a file extension contains malicious sequences. To exploit thi...

CVE-2024-34356

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user...

CVE-2024-34355

TYPO3 history backend module (software: TYPO3) is affected in versions 13.0.0 up to 13.1.0. The vulnerability is an HTML injection flaw in historyRow.title that persists despite CSP headers; exploitation requires a valid backend user account. The issue is resolved in TYPO3 v13.1.1. Connected advi...

BIT-TYPO3-2021-21358

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed...

CVE-2024-24751 Broken Access Control in Backend Module in sf_event_mgt

sfeventmgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the RedirectResponse from the...

derhansen/sf_event_mgt vulnerable to Broken Access Control in Backend Module

The existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the RedirectResponse from the $this-redirect function was never handled...

GHSA-4576-PGH2-G34J derhansen/sf_event_mgt vulnerable to Broken Access Control in Backend Module

The existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the RedirectResponse from the $this-redirect function was never handled...

Sql injection

SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module...

CVE-2023-39853

CVE-2023-39853 affects Dzzoffice 2.01. A SQL injection vulnerability exists in the Network Disk backend module, exploitable via the doobj and doevent parameters to leak or access sensitive information. The NVD/CNA metrics indicate network access with low attack complexity and minimal privileges r...