EUVD-2026-35391

TYPO3 CMS has Broken Access Control in its Form Framework...

TYPO3 CMS: Destructive Actions on File Mount Folders

Problem Non-privileged backend users with file mount access were able to perform write operations move, delete, rename on folders representing the root of an active file mount due to missing authorization restrictions. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS,...

EUVD-2026-35402

TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework...

TYPO3 CMS has Broken Access Control in its Form Framework

Problem Backend users with file write permissions were able to upload form definition files with mixed-case extensions e.g., .FORM.YAML to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers ...

EUVD-2026-35393

TYPO3 CMS has Broken Access Control in its Form Framework...

GHSA-Q93M-25XV-94HH TYPO3 CMS: Broken Access Control in Media Module

Problem Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS,...

CVE-2026-47352

Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...

CVE-2026-47348

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding,...

CVE-2026-11607

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to...

CVE-2026-47343

Non-privileged backend users with file mount access were able to perform write operations move, delete, rename on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0...

CVE-2026-49741

Backend users with write access to the formdefinition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations,...

CVE-2026-47343

creationtimestamp| type| source ---|---|--- 2026-06-10 03:07:26+00:00| seen| https://www.acn.gov.it/portale/w/rilevate-vulnerabilita-in-typo3-cms...

CVE-2026-49742

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer FAL via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This...

CVE-2026-47343

Non-privileged backend users with file mount access were able to perform write operations move, delete, rename on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0...

CVE-2026-49741

CVE-2026-49741 concerns TYPO3 CMS where backend users with write access to the form_definition table can directly manipulate form definitions via DataHandler, bypassing Form Framework validation and permission checks. This enables injecting arbitrary form configurations and is associated with SQL...

CVE-2026-49740

TYPO3 CMS: Insecure deserialization in core API (VariableFrontend and Registry) allows crafting serialized payloads to trigger PHP Object Injection with local write access to the cache store or sys_registry table. Impact could lead to Remote Code Execution or other high-impact effects as per the ...

CVE-2026-49740 TYPO3 CMS - Insecure Deserialization in Core API

TYPO3's cache frontend VariableFrontend and persistent key-value store Registry deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend cache store or sysregistry database table could inject a crafted serialized...

CVE-2026-49738 TYPO3 CMS - Broken Access Control in File Abstraction Layer

The path allowance check in GeneralUtility::isAllowedAbsPath performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator...

CVE-2026-47352 TYPO3 CMS - Broken Access Control in Backend API

Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...

CVE-2026-47352 TYPO3 CMS - Broken Access Control in Backend API

Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...