Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/typo3/cms@4.0.0
purl pkg:composer/typo3/cms@4.0.0
Tags Ghost
Next non-vulnerable version 10.4.35
Latest non-vulnerable version 12.2.0
Risk 4.5
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-69fr-ztbp-z7gg
Aliases:
CVE-2009-0258
GHSA-74w6-ww7w-45j9
Improper Input Validation The Indexed Search Engine (indexed_search) system extension in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to execute arbitrary commands via a crafted filename containing shell metacharacters, which is not properly handled by the command-line indexer.
4.0.10
Affected by 0 other vulnerabilities.
4.1.8
Affected by 0 other vulnerabilities.
4.2.4
Affected by 0 other vulnerabilities.
VCID-acey-xzmu-7yg9
Aliases:
CVE-2009-0816
GHSA-jg55-3q6h-2ccf
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields.
4.0.12
Affected by 0 other vulnerabilities.
4.1.10
Affected by 0 other vulnerabilities.
4.2.6
Affected by 0 other vulnerabilities.
VCID-b5ht-z6zp-pbht
Aliases:
CVE-2015-5956
GHSA-989h-wv8x-933p
Cross-Site Scripting Vulnerability It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link that, is tricked to click on a certain HTML target. Because TYPO3 include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions.
6.2.15
Affected by 79 other vulnerabilities.
7.4.0
Affected by 44 other vulnerabilities.
VCID-zkmd-h3ch-ebbg
Aliases:
CVE-2009-0256
GHSA-q45q-5233-229p
Improper Authentication Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.
4.0.10
Affected by 0 other vulnerabilities.
4.1.8
Affected by 0 other vulnerabilities.
4.2.4
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-04T14:30:47.747450+00:00 GHSA Importer Affected by VCID-b5ht-z6zp-pbht https://github.com/advisories/GHSA-989h-wv8x-933p 38.1.0
2026-04-01T16:00:37.447810+00:00 GHSA Importer Affected by VCID-acey-xzmu-7yg9 https://github.com/advisories/GHSA-jg55-3q6h-2ccf 38.0.0
2026-04-01T16:00:36.462718+00:00 GHSA Importer Affected by VCID-69fr-ztbp-z7gg https://github.com/advisories/GHSA-74w6-ww7w-45j9 38.0.0
2026-04-01T16:00:36.326595+00:00 GHSA Importer Affected by VCID-zkmd-h3ch-ebbg https://github.com/advisories/GHSA-q45q-5233-229p 38.0.0
2026-04-01T12:50:01.625328+00:00 GitLab Importer Affected by VCID-69fr-ztbp-z7gg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0258.yml 38.0.0
2026-04-01T12:50:01.514429+00:00 GitLab Importer Affected by VCID-zkmd-h3ch-ebbg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0256.yml 38.0.0
2026-04-01T12:49:59.469783+00:00 GitLab Importer Affected by VCID-acey-xzmu-7yg9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2009-0816.yml 38.0.0