Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/typo3/cms-backend@14.0.2
purl pkg:composer/typo3/cms-backend@14.0.2
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-uvfp-uq3t-6ffg TYPO3 CMS Allows Broken Access Control in Edit Document Controller ### Problem By exploiting the `defVals` parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. ### Solution Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described. ### Credits Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. ### References * [TYPO3-CORE-SA-2026-001](https://typo3.org/security/advisory/typo3-core-sa-2026-001) CVE-2025-59020
GHSA-5j7q-wmh7-cqhg

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:07:44.318080+00:00 GHSA Importer Fixing VCID-uvfp-uq3t-6ffg https://github.com/advisories/GHSA-5j7q-wmh7-cqhg 38.0.0
2026-04-01T12:53:38.983795+00:00 GitLab Importer Fixing VCID-uvfp-uq3t-6ffg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-backend/CVE-2025-59020.yml 38.0.0
2026-04-01T12:52:23.746868+00:00 GithubOSV Importer Fixing VCID-uvfp-uq3t-6ffg https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-5j7q-wmh7-cqhg/GHSA-5j7q-wmh7-cqhg.json 38.0.0