Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/typo3/cms-core@8.5.0
purl pkg:composer/typo3/cms-core@8.5.0
Tags Ghost
Next non-vulnerable version 12.4.41
Latest non-vulnerable version 14.0.2
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-9jj4-ec9n-qbhs
Aliases:
2018-07-12-4
Insecure Deserialization in TYPO3 CMS.
8.7.17
Affected by 76 other vulnerabilities.
9.3.2
Affected by 102 other vulnerabilities.
VCID-ayw6-8pn4-17eb
Aliases:
GHSA-96jg-pmc4-cx39
TYPO3 CMS Insecure Deserialization It has been discovered that the Form Framework (system extension `form`) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package `yaml`, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting `yaml.decode_php` enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
8.7.17
Affected by 76 other vulnerabilities.
9.3.1
Affected by 105 other vulnerabilities.
VCID-mh4f-vtfj-hbb1
Aliases:
GHSA-4459-qrcc-vfcf
TYPO3 Cross-Site Scripting in Form Framework Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site scripting.
8.7.23
Affected by 46 other vulnerabilities.
9.5.4
Affected by 75 other vulnerabilities.
VCID-wkm6-cgc8-bfa8
Aliases:
2018-07-12-3
Privilege Escalation & SQL Injection in TYPO3 CMS.
8.7.17
Affected by 76 other vulnerabilities.
9.3.2
Affected by 102 other vulnerabilities.
VCID-zw9b-6vkf-3fc6
Aliases:
GHSA-45wj-jv2h-jwrf
TYPO3 CMS Privilege Escalation and SQL Injection Failing to properly dissociate system related configuration from user generated configuration, the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation. Basically instructions can be persisted to a form definition file that were not configured to be modified - this applies to definitions managed using the form editor module as well as direct file upload using the regular file list module. A valid backend user account as well as having system extension form activated are needed in order to exploit this vulnerability.
8.7.17
Affected by 76 other vulnerabilities.
9.3.2
Affected by 102 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-02T12:39:25.065224+00:00 GitLab Importer Affected by VCID-ayw6-8pn4-17eb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-96jg-pmc4-cx39.yml 38.0.0
2026-04-02T12:39:24.836227+00:00 GitLab Importer Affected by VCID-mh4f-vtfj-hbb1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-4459-qrcc-vfcf.yml 38.0.0
2026-04-02T12:39:24.273293+00:00 GitLab Importer Affected by VCID-zw9b-6vkf-3fc6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/GHSA-45wj-jv2h-jwrf.yml 38.0.0
2026-04-01T16:05:36.179234+00:00 GHSA Importer Affected by VCID-mh4f-vtfj-hbb1 https://github.com/advisories/GHSA-4459-qrcc-vfcf 38.0.0
2026-04-01T16:05:35.421327+00:00 GHSA Importer Affected by VCID-ayw6-8pn4-17eb https://github.com/advisories/GHSA-96jg-pmc4-cx39 38.0.0
2026-04-01T16:05:35.311047+00:00 GHSA Importer Affected by VCID-zw9b-6vkf-3fc6 https://github.com/advisories/GHSA-45wj-jv2h-jwrf 38.0.0
2026-04-01T12:47:50.695157+00:00 GitLab Importer Affected by VCID-wkm6-cgc8-bfa8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-3.yml 38.0.0
2026-04-01T12:47:50.471096+00:00 GitLab Importer Affected by VCID-9jj4-ec9n-qbhs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-core/2018-07-12-4.yml 38.0.0