{"url":"http://public2.vulnerablecode.io/api/packages/280866?format=json","purl":"pkg:composer/typo3/cms-core@9.5.21","type":"composer","namespace":"typo3","name":"cms-core","version":"9.5.21","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.5.25","latest_non_vulnerable_version":"14.0.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54229?format=json","vulnerability_id":"VCID-1ffs-9vj5-27hk","summary":"Path Traversal\nDue to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default `_fileDenyPattern_` successfully blocked files like `_.htaccess_` or `_malicious.php_`. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21357","reference_id":"","reference_type":"","scores":[{"value":"0.01121","scoring_system":"epss","scoring_elements":"0.78584","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21357"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21357.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21357.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-form","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-form"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-003","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-003"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21357","reference_id":"CVE-2021-21357","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21357"},{"reference_url":"https://github.com/advisories/GHSA-3vg7-jw9m-pc3f","reference_id":"GHSA-3vg7-jw9m-pc3f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3vg7-jw9m-pc3f"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f","reference_id":"GHSA-3vg7-jw9m-pc3f","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-3vg7-jw9m-pc3f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80039?format=json","purl":"pkg:composer/typo3/cms-core@9.5.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25"},{"url":"http://public2.vulnerablecode.io/api/packages/80040?format=json","purl":"pkg:composer/typo3/cms-core@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80041?format=json","purl":"pkg:composer/typo3/cms-core@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1"}],"aliases":["CVE-2021-21357","GHSA-3vg7-jw9m-pc3f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1ffs-9vj5-27hk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53819?format=json","vulnerability_id":"VCID-4an7-9ph4-mkd4","summary":"Cleartext Storage of Sensitive Information\nTYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26228","reference_id":"","reference_type":"","scores":[{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39002","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26228"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-011","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26228","reference_id":"CVE-2020-26228","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26228"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79202?format=json","purl":"pkg:composer/typo3/cms-core@9.5.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.23"},{"url":"http://public2.vulnerablecode.io/api/packages/79195?format=json","purl":"pkg:composer/typo3/cms-core@10.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.10"}],"aliases":["CVE-2020-26228","GHSA-954j-f27r-cj52"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4an7-9ph4-mkd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54218?format=json","vulnerability_id":"VCID-6mnf-2fcw-dqgp","summary":"Asymmetric Resource Consumption (Amplification)\nRequesting invalid or non-existing resources via HTTP, triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21359","reference_id":"","reference_type":"","scores":[{"value":"0.00589","scoring_system":"epss","scoring_elements":"0.69527","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21359"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-005","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-005"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21359","reference_id":"CVE-2021-21359","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21359"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80039?format=json","purl":"pkg:composer/typo3/cms-core@9.5.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25"},{"url":"http://public2.vulnerablecode.io/api/packages/80040?format=json","purl":"pkg:composer/typo3/cms-core@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80041?format=json","purl":"pkg:composer/typo3/cms-core@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1"}],"aliases":["CVE-2021-21359","GHSA-4p9g-qgx9-397p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mnf-2fcw-dqgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54219?format=json","vulnerability_id":"VCID-848u-w88s-5bbe","summary":"Unrestricted Upload of File with Dangerous Type\nDue to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default `_fileDenyPattern_` successfully blocked files like `_.htaccess_` or `_malicious.php_`. Additionally, `_UploadedFileReferenceConverter_` transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, `_UploadedFileReferenceConverter_` accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location `_/fileadmin/user_upload/_`, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21355","reference_id":"","reference_type":"","scores":[{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62059","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21355"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-form","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-form"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-002","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-002"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21355","reference_id":"CVE-2021-21355","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21355"},{"reference_url":"https://github.com/advisories/GHSA-2r6j-862c-m2v2","reference_id":"GHSA-2r6j-862c-m2v2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2r6j-862c-m2v2"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2","reference_id":"GHSA-2r6j-862c-m2v2","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80039?format=json","purl":"pkg:composer/typo3/cms-core@9.5.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25"},{"url":"http://public2.vulnerablecode.io/api/packages/80040?format=json","purl":"pkg:composer/typo3/cms-core@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80041?format=json","purl":"pkg:composer/typo3/cms-core@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1"}],"aliases":["CVE-2021-21355","GHSA-2r6j-862c-m2v2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-848u-w88s-5bbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54233?format=json","vulnerability_id":"VCID-ev4k-5k1d-2bhu","summary":"URL Redirection to Untrusted Site (Open Redirect)\nLogin Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21338","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48774","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21338"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21338.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21338.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4jhw-2p6j-5wmp"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-001","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21338","reference_id":"CVE-2021-21338","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21338"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80039?format=json","purl":"pkg:composer/typo3/cms-core@9.5.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25"},{"url":"http://public2.vulnerablecode.io/api/packages/80040?format=json","purl":"pkg:composer/typo3/cms-core@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80041?format=json","purl":"pkg:composer/typo3/cms-core@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1"}],"aliases":["CVE-2021-21338","GHSA-4jhw-2p6j-5wmp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ev4k-5k1d-2bhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54220?format=json","vulnerability_id":"VCID-fqkx-v8t5-q3h6","summary":"Cleartext Storage of Sensitive Information\nUser session identifiers are stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - for example SQL injection in any other component of the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21339","reference_id":"","reference_type":"","scores":[{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32224","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21339"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-006","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-006"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21339","reference_id":"CVE-2021-21339","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21339"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80039?format=json","purl":"pkg:composer/typo3/cms-core@9.5.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25"},{"url":"http://public2.vulnerablecode.io/api/packages/80040?format=json","purl":"pkg:composer/typo3/cms-core@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80041?format=json","purl":"pkg:composer/typo3/cms-core@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1"}],"aliases":["CVE-2021-21339","GHSA-qx3w-4864-94ch"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqkx-v8t5-q3h6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54221?format=json","vulnerability_id":"VCID-jp1p-rfxa-hyd9","summary":"Cross-site Scripting\nContent elements of type `_menu_` are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21370","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.57112","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21370"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21370.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21370.yaml"},{"reference_url":"https://packagist.org/packages/typo3/cms-backend","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-backend"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2021-008","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2021-008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21370","reference_id":"CVE-2021-21370","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21370"},{"reference_url":"https://github.com/advisories/GHSA-x7hc-x7fm-f7qh","reference_id":"GHSA-x7hc-x7fm-f7qh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x7hc-x7fm-f7qh"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh","reference_id":"GHSA-x7hc-x7fm-f7qh","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-x7hc-x7fm-f7qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80039?format=json","purl":"pkg:composer/typo3/cms-core@9.5.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.25"},{"url":"http://public2.vulnerablecode.io/api/packages/80040?format=json","purl":"pkg:composer/typo3/cms-core@10.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/80041?format=json","purl":"pkg:composer/typo3/cms-core@11.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.1.1"}],"aliases":["CVE-2021-21370","GHSA-x7hc-x7fm-f7qh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jp1p-rfxa-hyd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53815?format=json","vulnerability_id":"VCID-tgyt-axv1-c7ag","summary":"Cross-site Scripting\nTYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 that fix the problem described.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26227","reference_id":"","reference_type":"","scores":[{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.5838","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26227"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26227.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26227.yaml"},{"reference_url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-vqqx-jw6p-q3rf"},{"reference_url":"https://packagist.org/packages/typo3/cms-core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/typo3/cms-core"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2020-010","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-core-sa-2020-010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26227","reference_id":"CVE-2020-26227","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26227"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79202?format=json","purl":"pkg:composer/typo3/cms-core@9.5.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.23"},{"url":"http://public2.vulnerablecode.io/api/packages/79195?format=json","purl":"pkg:composer/typo3/cms-core@10.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ffs-9vj5-27hk"},{"vulnerability":"VCID-6mnf-2fcw-dqgp"},{"vulnerability":"VCID-6urp-p9mn-cffv"},{"vulnerability":"VCID-848u-w88s-5bbe"},{"vulnerability":"VCID-c46m-ht19-ybc4"},{"vulnerability":"VCID-ev4k-5k1d-2bhu"},{"vulnerability":"VCID-fqkx-v8t5-q3h6"},{"vulnerability":"VCID-jp1p-rfxa-hyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.10"}],"aliases":["CVE-2020-26227","GHSA-vqqx-jw6p-q3rf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tgyt-axv1-c7ag"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.21"}