Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/typo3/cms@4.6.6
purl pkg:composer/typo3/cms@4.6.6
Tags Ghost
Next non-vulnerable version 10.4.35
Latest non-vulnerable version 12.2.0
Risk 3.1
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-88ng-ph1q-cybw
Aliases:
CVE-2012-1608
GHSA-w3v6-r62r-fvqh
Improper Input Validation The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters.
4.6.7
Affected by 0 other vulnerabilities.
VCID-fprf-zjud-8fcv
Aliases:
CVE-2012-1606
GHSA-7wwr-p84q-qr3q
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
4.6.7
Affected by 0 other vulnerabilities.
VCID-fv74-gq28-rkd5
Aliases:
CVE-2012-1605
GHSA-7jfm-px59-99w8
Typo3 Extbase Framework Unsafe Deserialization The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument."
4.6.7
Affected by 0 other vulnerabilities.
VCID-yk4b-baue-rkbt
Aliases:
CVE-2012-1607
GHSA-q68v-vcjg-r3vp
TYPO3 allows remote attackers to obtain the database name via a direct request The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-04T14:31:50.573948+00:00 GHSA Importer Affected by VCID-88ng-ph1q-cybw https://github.com/advisories/GHSA-w3v6-r62r-fvqh 38.1.0
2026-04-04T14:31:50.545360+00:00 GHSA Importer Affected by VCID-yk4b-baue-rkbt https://github.com/advisories/GHSA-q68v-vcjg-r3vp 38.1.0
2026-04-04T14:31:50.485277+00:00 GHSA Importer Affected by VCID-fprf-zjud-8fcv https://github.com/advisories/GHSA-7wwr-p84q-qr3q 38.1.0
2026-04-04T14:31:50.291400+00:00 GHSA Importer Affected by VCID-fv74-gq28-rkd5 https://github.com/advisories/GHSA-7jfm-px59-99w8 38.1.0
2026-04-03T21:25:58.319808+00:00 GitLab Importer Affected by VCID-yk4b-baue-rkbt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2012-1607.yml 38.1.0
2026-04-03T21:25:57.517336+00:00 GitLab Importer Affected by VCID-fv74-gq28-rkd5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2012-1605.yml 38.1.0
2026-04-01T12:50:44.797372+00:00 GitLab Importer Affected by VCID-88ng-ph1q-cybw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2012-1608.yml 38.0.0
2026-04-01T12:50:42.091437+00:00 GitLab Importer Affected by VCID-fprf-zjud-8fcv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2012-1606.yml 38.0.0