Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/typo3/cms-core@12.0.0

Type composer

Namespace typo3

Name cms-core

Version 12.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 12.4.41

Latest_non_vulnerable_version 14.3.3

Affected_by_vulnerabilities

url VCID-46ah-934v-kygj

vulnerability_id VCID-46ah-934v-kygj

summary An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59013

reference_id

reference_type

scores

value	0.0005
scoring_system	epss
scoring_elements	0.16114
published_at	2026-06-13T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.15964
published_at	2026-06-11T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.16105
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59013

reference_url

https://github.com/TYPO3-CMS/core

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core

reference_url

https://github.com/TYPO3-CMS/core/commit/862b9da870815132c31119cd85bc454a5010793c

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core/commit/862b9da870815132c31119cd85bc454a5010793c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59013

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59013

reference_url	https://github.com/advisories/GHSA-72jf-5fg5-3cw3
reference_id	GHSA-72jf-5fg5-3cw3
reference_type
scores
url	https://github.com/advisories/GHSA-72jf-5fg5-3cw3

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-017

reference_id

typo3-core-sa-2025-017

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T19:31:48Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-017

fixed_packages

url pkg:composer/typo3/cms-core@12.4.37

purl pkg:composer/typo3/cms-core@12.4.37

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.37

url pkg:composer/typo3/cms-core@13.4.18

purl pkg:composer/typo3/cms-core@13.4.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.18

aliases CVE-2025-59013, GHSA-72jf-5fg5-3cw3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-46ah-934v-kygj

url VCID-4hp8-5qeb-wyam

vulnerability_id VCID-4hp8-5qeb-wyam

summary TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47938

reference_id

reference_type

scores

value	0.00158
scoring_system	epss
scoring_elements	0.36601
published_at	2026-06-13T12:55:00Z

value	0.00158
scoring_system	epss
scoring_elements	0.36577
published_at	2026-06-12T12:55:00Z

value	0.00158
scoring_system	epss
scoring_elements	0.36396
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47938

reference_url

https://github.com/TYPO3-CMS/core/commit/b9a8bcb614ecdd42aa27e1c430c6213d6b6b20b3

reference_id

reference_type

scores

value	3.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core/commit/b9a8bcb614ecdd42aa27e1c430c6213d6b6b20b3

reference_url

https://github.com/TYPO3-CMS/setup/commit/60572dd050d8d861921889a19599bfe045fed5fd

reference_id

reference_type

scores

value	3.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/setup/commit/60572dd050d8d861921889a19599bfe045fed5fd

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-47938

reference_id

reference_type

scores

value	3.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-47938

reference_url	https://github.com/advisories/GHSA-3jrg-97f3-rqh9
reference_id	GHSA-3jrg-97f3-rqh9
reference_type
scores
url	https://github.com/advisories/GHSA-3jrg-97f3-rqh9

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3jrg-97f3-rqh9

reference_id

GHSA-3jrg-97f3-rqh9

reference_type

scores

value	3.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T13:56:18Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3jrg-97f3-rqh9

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-013

reference_id

typo3-core-sa-2025-013

reference_type

scores

value	3.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T13:56:18Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-013

fixed_packages

url pkg:composer/typo3/cms-core@12.4.31

purl pkg:composer/typo3/cms-core@12.4.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.31

url pkg:composer/typo3/cms-core@13.4.12

purl pkg:composer/typo3/cms-core@13.4.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.12

aliases CVE-2025-47938, GHSA-3jrg-97f3-rqh9

risk_score 1.7

exploitability 0.5

weighted_severity 3.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4hp8-5qeb-wyam

url VCID-4uxt-xatk-vybr

vulnerability_id VCID-4uxt-xatk-vybr

summary Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-49742

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.10936
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.10991
published_at	2026-06-13T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.10998
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-49742

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49742.yaml

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49742.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-chm7-4vch-h8vr

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-chm7-4vch-h8vr

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-49742

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-49742

reference_url

https://github.com/TYPO3/typo3/commit/ad636b6183843b57c758a1e12174a75093ac93c3

reference_id

ad636b6183843b57c758a1e12174a75093ac93c3

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:26:36Z/

url

https://github.com/TYPO3/typo3/commit/ad636b6183843b57c758a1e12174a75093ac93c3

reference_url

https://github.com/TYPO3/typo3/commit/caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae

reference_id

caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:26:36Z/

url

https://github.com/TYPO3/typo3/commit/caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae

reference_url

https://github.com/advisories/GHSA-chm7-4vch-h8vr

reference_id

GHSA-chm7-4vch-h8vr

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-chm7-4vch-h8vr

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-013

reference_id

typo3-core-sa-2026-013

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:26:36Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-013

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-49742, GHSA-chm7-4vch-h8vr

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4uxt-xatk-vybr

url VCID-5ddb-qvu6-c7dd

vulnerability_id VCID-5ddb-qvu6-c7dd

summary TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23504

reference_id

reference_type

scores

value	0.00406
scoring_system	epss
scoring_elements	0.61626
published_at	2026-06-13T12:55:00Z

value	0.00406
scoring_system	epss
scoring_elements	0.61515
published_at	2026-06-11T12:55:00Z

value	0.00406
scoring_system	epss
scoring_elements	0.61618
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23504

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23504.yaml

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23504.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23504.yaml

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23504.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/d1e627ff7eef07bd94c53db861e85977b203900a

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/d1e627ff7eef07bd94c53db861e85977b203900a

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23504

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23504

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2022-016

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2022-016

reference_url

https://github.com/advisories/GHSA-8w3p-qh3x-6gjr

reference_id

GHSA-8w3p-qh3x-6gjr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8w3p-qh3x-6gjr

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr

reference_id

GHSA-8w3p-qh3x-6gjr

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T19:21:01Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr

fixed_packages

url pkg:composer/typo3/cms-core@12.1.1

purl pkg:composer/typo3/cms-core@12.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-jtqp-g65r-93hs

vulnerability	VCID-p2gb-esw8-3ya7

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-wutq-k9ph-zyab

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.1.1

aliases CVE-2022-23504, GHSA-8w3p-qh3x-6gjr, GMS-2022-8131

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5ddb-qvu6-c7dd

url VCID-9f74-pxxq-3qea

vulnerability_id VCID-9f74-pxxq-3qea

summary TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID tx_cms_showpic_`) is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-34357

reference_id

reference_type

scores

value	0.00634
scoring_system	epss
scoring_elements	0.7097
published_at	2026-06-13T12:55:00Z

value	0.00634
scoring_system	epss
scoring_elements	0.70866
published_at	2026-06-11T12:55:00Z

value	0.00634
scoring_system	epss
scoring_elements	0.70957
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-34357

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7

reference_id

376474904f6b9a54dc1b785a2e45277cbd13b0d7

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:47:12Z/

url

https://github.com/TYPO3/typo3/commit/376474904f6b9a54dc1b785a2e45277cbd13b0d7

reference_url

https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee

reference_id

b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:47:12Z/

url

https://github.com/TYPO3/typo3/commit/b31d05d1da3eeaeead2d19eb43b1c3f9c88e15ee

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-34357

reference_id

CVE-2024-34357

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-34357

reference_url

https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1

reference_id

d774642381354d3bf5095a5a26e18acd2767f0b1

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:47:12Z/

url

https://github.com/TYPO3/typo3/commit/d774642381354d3bf5095a5a26e18acd2767f0b1

reference_url

https://github.com/advisories/GHSA-hw6c-6gwq-3m3m

reference_id

GHSA-hw6c-6gwq-3m3m

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hw6c-6gwq-3m3m

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m

reference_id

GHSA-hw6c-6gwq-3m3m

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:47:12Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-hw6c-6gwq-3m3m

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-009

reference_id

typo3-core-sa-2024-009

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:47:12Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-009

fixed_packages

url pkg:composer/typo3/cms-core@12.4.15

purl pkg:composer/typo3/cms-core@12.4.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15

url pkg:composer/typo3/cms-core@13.1.1

purl pkg:composer/typo3/cms-core@13.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1

aliases CVE-2024-34357, GHSA-hw6c-6gwq-3m3m

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9f74-pxxq-3qea

url VCID-9fu7-2brx-j3az

vulnerability_id VCID-9fu7-2brx-j3az

summary TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-34358

reference_id

reference_type

scores

value	0.0005
scoring_system	epss
scoring_elements	0.16202
published_at	2026-06-13T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.16051
published_at	2026-06-11T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.16193
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-34358

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14

reference_id

05c95fed869a1a6dcca06c7077b83b6ea866ff14

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/

url

https://github.com/TYPO3/typo3/commit/05c95fed869a1a6dcca06c7077b83b6ea866ff14

reference_url

https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5

reference_id

1e70ebf736935413b0531004839362b4fb0755a5

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/

url

https://github.com/TYPO3/typo3/commit/1e70ebf736935413b0531004839362b4fb0755a5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-34358

reference_id

CVE-2024-34358

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-34358

reference_url

https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142

reference_id

df7909b6a1cf0f12a42994d0cc3376b607746142

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/

url

https://github.com/TYPO3/typo3/commit/df7909b6a1cf0f12a42994d0cc3376b607746142

reference_url

https://github.com/advisories/GHSA-36g8-62qv-5957

reference_id

GHSA-36g8-62qv-5957

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-36g8-62qv-5957

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957

reference_id

GHSA-36g8-62qv-5957

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-36g8-62qv-5957

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-010

reference_id

typo3-core-sa-2024-010

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:43:40Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-010

fixed_packages

url pkg:composer/typo3/cms-core@12.4.15

purl pkg:composer/typo3/cms-core@12.4.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15

url pkg:composer/typo3/cms-core@13.1.1

purl pkg:composer/typo3/cms-core@13.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1

aliases CVE-2024-34358, GHSA-36g8-62qv-5957

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9fu7-2brx-j3az

url VCID-9mh5-8n3y-93c8

vulnerability_id VCID-9mh5-8n3y-93c8

summary TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47937

reference_id

reference_type

scores

value	0.00201
scoring_system	epss
scoring_elements	0.4238
published_at	2026-06-13T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42358
published_at	2026-06-12T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42193
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47937

reference_url

https://github.com/TYPO3-CMS/core

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-47937

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-47937

reference_url	https://github.com/advisories/GHSA-x8pv-fgxp-8v3x
reference_id	GHSA-x8pv-fgxp-8v3x
reference_type
scores
url	https://github.com/advisories/GHSA-x8pv-fgxp-8v3x

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x

reference_id

GHSA-x8pv-fgxp-8v3x

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T13:57:34Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-011

reference_id

typo3-core-sa-2025-011

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T13:57:34Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-011

fixed_packages

url pkg:composer/typo3/cms-core@12.4.31

purl pkg:composer/typo3/cms-core@12.4.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.31

url pkg:composer/typo3/cms-core@13.4.12

purl pkg:composer/typo3/cms-core@13.4.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.12

aliases CVE-2025-47937, GHSA-x8pv-fgxp-8v3x

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9mh5-8n3y-93c8

url VCID-ant9-spg8-1ug5

vulnerability_id VCID-ant9-spg8-1ug5

summary A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59015

reference_id

reference_type

scores

value	0.00062
scoring_system	epss
scoring_elements	0.19776
published_at	2026-06-13T12:55:00Z

value	0.00062
scoring_system	epss
scoring_elements	0.19583
published_at	2026-06-11T12:55:00Z

value	0.00062
scoring_system	epss
scoring_elements	0.19758
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59015

reference_url

https://github.com/TYPO3-CMS/core

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core

reference_url

https://github.com/TYPO3-CMS/core/commit/d2057cc7b2c2db417a2af38c30cb9da42302ab70

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core/commit/d2057cc7b2c2db417a2af38c30cb9da42302ab70

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59015

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59015

reference_url	https://github.com/advisories/GHSA-p5jq-5383-qvc7
reference_id	GHSA-p5jq-5383-qvc7
reference_type
scores
url	https://github.com/advisories/GHSA-p5jq-5383-qvc7

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-019

reference_id

typo3-core-sa-2025-019

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T19:31:01Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-019

fixed_packages

url pkg:composer/typo3/cms-core@12.4.37

purl pkg:composer/typo3/cms-core@12.4.37

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.37

url pkg:composer/typo3/cms-core@13.4.18

purl pkg:composer/typo3/cms-core@13.4.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.18

aliases CVE-2025-59015, GHSA-p5jq-5383-qvc7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ant9-spg8-1ug5

url VCID-arjb-mbgt-97dh

vulnerability_id VCID-arjb-mbgt-97dh

summary TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47940

reference_id

reference_type

scores

value	0.00316
scoring_system	epss
scoring_elements	0.55156
published_at	2026-06-11T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55293
published_at	2026-06-13T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55277
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47940

reference_url

https://github.com/TYPO3-CMS/core

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core

reference_url

https://github.com/TYPO3-CMS/core/commit/a659cc8c0ae05c44dd7f01d13629cdd2d0b7219b

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core/commit/a659cc8c0ae05c44dd7f01d13629cdd2d0b7219b

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-47940

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-47940

reference_url	https://github.com/advisories/GHSA-6frx-j292-c844
reference_id	GHSA-6frx-j292-c844
reference_type
scores
url	https://github.com/advisories/GHSA-6frx-j292-c844

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-6frx-j292-c844

reference_id

GHSA-6frx-j292-c844

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-20T14:35:19Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-6frx-j292-c844

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-016

reference_id

typo3-core-sa-2025-016

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-20T14:35:19Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-016

fixed_packages

url pkg:composer/typo3/cms-core@12.4.31

purl pkg:composer/typo3/cms-core@12.4.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.31

url pkg:composer/typo3/cms-core@13.4.12

purl pkg:composer/typo3/cms-core@13.4.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.12

aliases CVE-2025-47940, GHSA-6frx-j292-c844

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-arjb-mbgt-97dh

url VCID-czs7-qdpv-87ec

vulnerability_id VCID-czs7-qdpv-87ec

summary Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-47347

reference_id

reference_type

scores

value	0.00039
scoring_system	epss
scoring_elements	0.11925
published_at	2026-06-11T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.12018
published_at	2026-06-13T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.12015
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-47347

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47347.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47347.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3p42-w5ch-gg42

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3p42-w5ch-gg42

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-47347

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-47347

reference_url

https://github.com/TYPO3/typo3/commit/22c2dd5398ebc4cb7aa4aa37e02cb39181dee0cd

reference_id

22c2dd5398ebc4cb7aa4aa37e02cb39181dee0cd

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:53:20Z/

url

https://github.com/TYPO3/typo3/commit/22c2dd5398ebc4cb7aa4aa37e02cb39181dee0cd

reference_url

https://github.com/TYPO3/typo3/commit/3ffc0835012c6199db0e1dc4b56a77147d8600e0

reference_id

3ffc0835012c6199db0e1dc4b56a77147d8600e0

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:53:20Z/

url

https://github.com/TYPO3/typo3/commit/3ffc0835012c6199db0e1dc4b56a77147d8600e0

reference_url

https://github.com/advisories/GHSA-3p42-w5ch-gg42

reference_id

GHSA-3p42-w5ch-gg42

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3p42-w5ch-gg42

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-009

reference_id

typo3-core-sa-2026-009

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:53:20Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-009

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-47347, GHSA-3p42-w5ch-gg42

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-czs7-qdpv-87ec

url VCID-dmu3-33f8-n7g5

vulnerability_id VCID-dmu3-33f8-n7g5

summary Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-47352

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.11235
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11295
published_at	2026-06-13T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11304
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-47352

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47352.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47352.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-2j54-93q2-3hjq

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-2j54-93q2-3hjq

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-47352

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-47352

reference_url

https://github.com/TYPO3/typo3/commit/17a3b7830d5931725db5fdab0cfc76d479884c96

reference_id

17a3b7830d5931725db5fdab0cfc76d479884c96

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:46:51Z/

url

https://github.com/TYPO3/typo3/commit/17a3b7830d5931725db5fdab0cfc76d479884c96

reference_url

https://github.com/TYPO3/typo3/commit/bfe7c354168f467726020ed49299dd209a455719

reference_id

bfe7c354168f467726020ed49299dd209a455719

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:46:51Z/

url

https://github.com/TYPO3/typo3/commit/bfe7c354168f467726020ed49299dd209a455719

reference_url

https://github.com/advisories/GHSA-2j54-93q2-3hjq

reference_id

GHSA-2j54-93q2-3hjq

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2j54-93q2-3hjq

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-015

reference_id

typo3-core-sa-2026-015

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:46:51Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-015

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-47352, GHSA-2j54-93q2-3hjq

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dmu3-33f8-n7g5

url VCID-ecwa-f4mn-7kcm

vulnerability_id VCID-ecwa-f4mn-7kcm

summary Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-47346

reference_id

reference_type

scores

value	0.0003
scoring_system	epss
scoring_elements	0.0906
published_at	2026-06-11T12:55:00Z

value	0.0003
scoring_system	epss
scoring_elements	0.09106
published_at	2026-06-13T12:55:00Z

value	0.0003
scoring_system	epss
scoring_elements	0.09104
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-47346

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47346.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47346.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-hwvq-2w67-rvxp

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-hwvq-2w67-rvxp

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-47346

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-47346

reference_url

https://github.com/TYPO3/typo3/commit/2030617e6f273cee7b756c695f0a48a45a31eb47

reference_id

2030617e6f273cee7b756c695f0a48a45a31eb47

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-09T12:51:14Z/

url

https://github.com/TYPO3/typo3/commit/2030617e6f273cee7b756c695f0a48a45a31eb47

reference_url

https://github.com/TYPO3/typo3/commit/eb2b2251d90339d3ab55df3d4c0378ae0c780b45

reference_id

eb2b2251d90339d3ab55df3d4c0378ae0c780b45

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-09T12:51:14Z/

url

https://github.com/TYPO3/typo3/commit/eb2b2251d90339d3ab55df3d4c0378ae0c780b45

reference_url

https://github.com/advisories/GHSA-hwvq-2w67-rvxp

reference_id

GHSA-hwvq-2w67-rvxp

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hwvq-2w67-rvxp

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-008

reference_id

typo3-core-sa-2026-008

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-09T12:51:14Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-008

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-47346, GHSA-hwvq-2w67-rvxp

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ecwa-f4mn-7kcm

url VCID-fnsv-g4mz-hqgz

vulnerability_id VCID-fnsv-g4mz-hqgz

summary TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-49740

reference_id

reference_type

scores

value	0.00246
scoring_system	epss
scoring_elements	0.48193
published_at	2026-06-11T12:55:00Z

value	0.00246
scoring_system	epss
scoring_elements	0.48347
published_at	2026-06-13T12:55:00Z

value	0.00246
scoring_system	epss
scoring_elements	0.4833
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-49740

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49740.yaml

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49740.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-c78m-c52x-jgwp

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-c78m-c52x-jgwp

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-49740

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-49740

reference_url

https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7

reference_id

48bcf24f31f52cc0b43d3bea4984634bd2cf85c7

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:40:19Z/

url

https://github.com/TYPO3/typo3/commit/48bcf24f31f52cc0b43d3bea4984634bd2cf85c7

reference_url

https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02

reference_id

87cd7c5b710c44d3606fed277b040a75dc6a9c02

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:40:19Z/

url

https://github.com/TYPO3/typo3/commit/87cd7c5b710c44d3606fed277b040a75dc6a9c02

reference_url

https://github.com/advisories/GHSA-c78m-c52x-jgwp

reference_id

GHSA-c78m-c52x-jgwp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c78m-c52x-jgwp

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-018

reference_id

typo3-core-sa-2026-018

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:40:19Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-018

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-49740, GHSA-c78m-c52x-jgwp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fnsv-g4mz-hqgz

url VCID-g3yr-vd28-sfhx

vulnerability_id VCID-g3yr-vd28-sfhx

summary Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-47351

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.11235
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11295
published_at	2026-06-13T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11304
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-47351

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47351.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47351.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-q93m-25xv-94hh

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-q93m-25xv-94hh

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-47351

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-47351

reference_url

https://github.com/TYPO3/typo3/commit/2740707563343d78184c0b7c6303a7484553d7f3

reference_id

2740707563343d78184c0b7c6303a7484553d7f3

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:47:51Z/

url

https://github.com/TYPO3/typo3/commit/2740707563343d78184c0b7c6303a7484553d7f3

reference_url

https://github.com/TYPO3/typo3/commit/932fbb9fcea25094e8bcc0f0ec5aab56b1d92451

reference_id

932fbb9fcea25094e8bcc0f0ec5aab56b1d92451

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:47:51Z/

url

https://github.com/TYPO3/typo3/commit/932fbb9fcea25094e8bcc0f0ec5aab56b1d92451

reference_url

https://github.com/advisories/GHSA-q93m-25xv-94hh

reference_id

GHSA-q93m-25xv-94hh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q93m-25xv-94hh

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-014

reference_id

typo3-core-sa-2026-014

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:47:51Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-014

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-47351, GHSA-q93m-25xv-94hh

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g3yr-vd28-sfhx

url VCID-g6wm-gjsy-7fdt

vulnerability_id VCID-g6wm-gjsy-7fdt

summary TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-25120

reference_id

reference_type

scores

value	0.00188
scoring_system	epss
scoring_elements	0.40538
published_at	2026-06-11T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.4073
published_at	2026-06-13T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40706
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-25120

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6

reference_url

https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f

reference_url

https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-25120

reference_id

CVE-2024-25120

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-25120

reference_url

https://github.com/advisories/GHSA-wf85-8hx9-gj7c

reference_id

GHSA-wf85-8hx9-gj7c

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wf85-8hx9-gj7c

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c

reference_id

GHSA-wf85-8hx9-gj7c

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-005

reference_id

typo3-core-sa-2024-005

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-005

reference_url

https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references

reference_id

Typolink.html#resource-references

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/

url

https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references

fixed_packages

url pkg:composer/typo3/cms-core@12.4.11

purl pkg:composer/typo3/cms-core@12.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url pkg:composer/typo3/cms-core@13.0.1

purl pkg:composer/typo3/cms-core@13.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-fn5d-fhbq-yyhv

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

aliases CVE-2024-25120, GHSA-wf85-8hx9-gj7c

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g6wm-gjsy-7fdt

url VCID-humm-nga7-hbe4

vulnerability_id VCID-humm-nga7-hbe4

summary TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23501

reference_id

reference_type

scores

value	0.00198
scoring_system	epss
scoring_elements	0.41942
published_at	2026-06-13T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41758
published_at	2026-06-11T12:55:00Z

value	0.00198
scoring_system	epss
scoring_elements	0.41924
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23501

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23501.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23501.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266eced

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/28be9cdb3fed02ce4cfc6fa2d39f7d8e2266eced

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23501

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23501

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2022-013

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2022-013

reference_url

https://github.com/advisories/GHSA-jfp7-79g7-89rf

reference_id

GHSA-jfp7-79g7-89rf

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jfp7-79g7-89rf

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf

reference_id

GHSA-jfp7-79g7-89rf

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T18:48:00Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf

fixed_packages

url pkg:composer/typo3/cms-core@12.1.1

purl pkg:composer/typo3/cms-core@12.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-jtqp-g65r-93hs

vulnerability	VCID-p2gb-esw8-3ya7

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-wutq-k9ph-zyab

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.1.1

aliases CVE-2022-23501, GHSA-jfp7-79g7-89rf, GMS-2022-8134

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-humm-nga7-hbe4

url VCID-jtqp-g65r-93hs

vulnerability_id VCID-jtqp-g65r-93hs

summary TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-38499

reference_id

reference_type

scores

value	0.02247
scoring_system	epss
scoring_elements	0.85
published_at	2026-06-13T12:55:00Z

value	0.02247
scoring_system	epss
scoring_elements	0.84938
published_at	2026-06-11T12:55:00Z

value	0.02247
scoring_system	epss
scoring_elements	0.84991
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-38499

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-38499

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-38499

reference_url

https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a

reference_id

702e2debd4b28f9cdb540544565fe6a8627ccb6a

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T18:16:37Z/

url

https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a

reference_url

https://github.com/advisories/GHSA-jq6g-4v5m-wm9r

reference_id

GHSA-jq6g-4v5m-wm9r

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jq6g-4v5m-wm9r

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r

reference_id

GHSA-jq6g-4v5m-wm9r

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T18:16:37Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2023-003

reference_id

typo3-core-sa-2023-003

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T18:16:37Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2023-003

fixed_packages

url pkg:composer/typo3/cms-core@12.4.4

purl pkg:composer/typo3/cms-core@12.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-wutq-k9ph-zyab

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.4

aliases CVE-2023-38499, GHSA-jq6g-4v5m-wm9r

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jtqp-g65r-93hs

url VCID-k21a-rfcp-6kfa

vulnerability_id VCID-k21a-rfcp-6kfa

summary Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-47343

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.11235
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11295
published_at	2026-06-13T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11304
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-47343

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47343.yaml

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47343.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3v8v-4wg6-r7qh

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3v8v-4wg6-r7qh

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-47343

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-47343

reference_url

https://github.com/TYPO3/typo3/commit/504e72470ff72aaf5d2256878bf473747f389798

reference_id

504e72470ff72aaf5d2256878bf473747f389798

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T12:53:19Z/

url

https://github.com/TYPO3/typo3/commit/504e72470ff72aaf5d2256878bf473747f389798

reference_url

https://github.com/TYPO3/typo3/commit/ac4125aef8b9b94528a7f74db2444db57b05a87b

reference_id

ac4125aef8b9b94528a7f74db2444db57b05a87b

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T12:53:19Z/

url

https://github.com/TYPO3/typo3/commit/ac4125aef8b9b94528a7f74db2444db57b05a87b

reference_url

https://github.com/advisories/GHSA-3v8v-4wg6-r7qh

reference_id

GHSA-3v8v-4wg6-r7qh

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3v8v-4wg6-r7qh

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-007

reference_id

typo3-core-sa-2026-007

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T12:53:19Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-007

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-47343, GHSA-3v8v-4wg6-r7qh

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k21a-rfcp-6kfa

url VCID-mkd8-ahrf-mfg9

vulnerability_id VCID-mkd8-ahrf-mfg9

summary Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-47349

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.11235
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11295
published_at	2026-06-13T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11304
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-47349

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47349.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47349.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-47349

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-47349

reference_url

https://github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8

reference_id

92f08d8944f1aeccf506fcd323c260448c64d7c8

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:51:14Z/

url

https://github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8

reference_url

https://github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a

reference_id

9f17a307cf774d63ab8291fc97c6b55653b4265a

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:51:14Z/

url

https://github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a

reference_url

https://github.com/advisories/GHSA-f34x-rx2w-7pm3

reference_id

GHSA-f34x-rx2w-7pm3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f34x-rx2w-7pm3

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-011

reference_id

typo3-core-sa-2026-011

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:51:14Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-011

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-47349, GHSA-f34x-rx2w-7pm3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mkd8-ahrf-mfg9

url VCID-p2gb-esw8-3ya7

vulnerability_id VCID-p2gb-esw8-3ya7

summary TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-24814

reference_id

reference_type

scores

value	0.00867
scoring_system	epss
scoring_elements	0.7568
published_at	2026-06-13T12:55:00Z

value	0.00867
scoring_system	epss
scoring_elements	0.75597
published_at	2026-06-11T12:55:00Z

value	0.00867
scoring_system	epss
scoring_elements	0.75667
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-24814

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2023-24814.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2023-24814.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-24814

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-24814

reference_url

https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a

reference_id

0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a

reference_url

https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484

reference_id

GeneralUtility.php#L2481-L2484

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484

reference_url

https://github.com/advisories/GHSA-r4f8-f93x-5qh3

reference_id

GHSA-r4f8-f93x-5qh3

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r4f8-f93x-5qh3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3

reference_id

GHSA-r4f8-f93x-5qh3

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3

reference_url

https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix

reference_id

Index.html#absrefprefix

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2023-001

reference_id

typo3-core-sa-2023-001

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2023-001

reference_url

https://typo3.org/security/advisory/typo3-psa-2023-001

reference_id

typo3-psa-2023-001

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://typo3.org/security/advisory/typo3-psa-2023-001

reference_url

https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549

reference_id

TypoScriptFrontendController.php#L2547-L2549

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:14Z/

url

https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549

fixed_packages

url pkg:composer/typo3/cms-core@12.2.0

purl pkg:composer/typo3/cms-core@12.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-jtqp-g65r-93hs

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-wutq-k9ph-zyab

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.2.0

aliases CVE-2023-24814, GHSA-r4f8-f93x-5qh3

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p2gb-esw8-3ya7

url VCID-qnk5-9jfz-5bhh

vulnerability_id VCID-qnk5-9jfz-5bhh

summary TYPO3 is a free and open source Content Management Framework. Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. Users are advised to update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 LTS, 12.4.25 LTS, 13.4.3 which fix the problem described. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-55892

reference_id

reference_type

scores

value	0.00253
scoring_system	epss
scoring_elements	0.48868
published_at	2026-06-11T12:55:00Z

value	0.00253
scoring_system	epss
scoring_elements	0.49022
published_at	2026-06-13T12:55:00Z

value	0.00253
scoring_system	epss
scoring_elements	0.49004
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-55892

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/a4abf48d254685f43383e6e7f80d48aebaea56af

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/a4abf48d254685f43383e6e7f80d48aebaea56af

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-55892

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-55892

reference_url	https://github.com/advisories/GHSA-2fx5-pggv-6jjr
reference_id	GHSA-2fx5-pggv-6jjr
reference_type
scores
url	https://github.com/advisories/GHSA-2fx5-pggv-6jjr

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr

reference_id

GHSA-2fx5-pggv-6jjr

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:12:41Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-002

reference_id

typo3-core-sa-2025-002

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:12:41Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-002

fixed_packages

url pkg:composer/typo3/cms-core@12.4.25

purl pkg:composer/typo3/cms-core@12.4.25

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.25

url pkg:composer/typo3/cms-core@13.4.3

purl pkg:composer/typo3/cms-core@13.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.3

aliases CVE-2024-55892, GHSA-2fx5-pggv-6jjr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qnk5-9jfz-5bhh

url VCID-rxu6-ccns-m3fk

vulnerability_id VCID-rxu6-ccns-m3fk

summary TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to the form module. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1 fix the problem described.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-34356

reference_id

reference_type

scores

value	0.00634
scoring_system	epss
scoring_elements	0.7097
published_at	2026-06-13T12:55:00Z

value	0.00634
scoring_system	epss
scoring_elements	0.70866
published_at	2026-06-11T12:55:00Z

value	0.00634
scoring_system	epss
scoring_elements	0.70957
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-34356

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156

reference_id

2832e2f51f929aeddb5de7d667538a33ceda8156

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T15:21:11Z/

url

https://github.com/TYPO3/typo3/commit/2832e2f51f929aeddb5de7d667538a33ceda8156

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-34356

reference_id

CVE-2024-34356

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-34356

reference_url

https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5

reference_id

d0393a879a32fb4e3569acad6bdb5cda776be1e5

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T15:21:11Z/

url

https://github.com/TYPO3/typo3/commit/d0393a879a32fb4e3569acad6bdb5cda776be1e5

reference_url

https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64

reference_id

e95a1224719efafb9cab2d85964f240fd0356e64

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T15:21:11Z/

url

https://github.com/TYPO3/typo3/commit/e95a1224719efafb9cab2d85964f240fd0356e64

reference_url

https://github.com/advisories/GHSA-v6mw-h7w6-59w3

reference_id

GHSA-v6mw-h7w6-59w3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v6mw-h7w6-59w3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3

reference_id

GHSA-v6mw-h7w6-59w3

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T15:21:11Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-v6mw-h7w6-59w3

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-008

reference_id

typo3-core-sa-2024-008

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T15:21:11Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-008

fixed_packages

url pkg:composer/typo3/cms-core@12.4.15

purl pkg:composer/typo3/cms-core@12.4.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.15

url pkg:composer/typo3/cms-core@13.1.1

purl pkg:composer/typo3/cms-core@13.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.1.1

aliases CVE-2024-34356, GHSA-v6mw-h7w6-59w3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rxu6-ccns-m3fk

url VCID-sq7n-ehxa-rbb9

vulnerability_id VCID-sq7n-ehxa-rbb9

summary TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-25118

reference_id

reference_type

scores

value	0.00508
scoring_system	epss
scoring_elements	0.66765
published_at	2026-06-11T12:55:00Z

value	0.00508
scoring_system	epss
scoring_elements	0.66871
published_at	2026-06-13T12:55:00Z

value	0.00508
scoring_system	epss
scoring_elements	0.66857
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-25118

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/1186b2fec8a665a8f228ed66e6d60abf8407c17b

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/1186b2fec8a665a8f228ed66e6d60abf8407c17b

reference_url

https://github.com/TYPO3/typo3/commit/c7a135c25a14b852eebe4335f21ba3c606188f3a

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/c7a135c25a14b852eebe4335f21ba3c606188f3a

reference_url

https://github.com/TYPO3/typo3/commit/cafc5af7fdce7734e6c8f9ecf2efd17b246fc049

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/cafc5af7fdce7734e6c8f9ecf2efd17b246fc049

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-25118

reference_id

CVE-2024-25118

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-25118

reference_url

https://github.com/advisories/GHSA-38r2-5695-334w

reference_id

GHSA-38r2-5695-334w

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-38r2-5695-334w

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w

reference_id

GHSA-38r2-5695-334w

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T17:58:02Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-38r2-5695-334w

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-003

reference_id

typo3-core-sa-2024-003

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T17:58:02Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-003

fixed_packages

url pkg:composer/typo3/cms-core@12.4.11

purl pkg:composer/typo3/cms-core@12.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url pkg:composer/typo3/cms-core@13.0.1

purl pkg:composer/typo3/cms-core@13.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-fn5d-fhbq-yyhv

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

aliases CVE-2024-25118, GHSA-38r2-5695-334w

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sq7n-ehxa-rbb9

url VCID-stvv-ndwu-nqer

vulnerability_id VCID-stvv-ndwu-nqer

summary Path Traversal in TYPO3 File Abstraction Layer Storages

references

reference_url

http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-30451

reference_id

reference_type

scores

value	0.00403
scoring_system	epss
scoring_elements	0.61333
published_at	2026-06-11T12:55:00Z

value	0.00403
scoring_system	epss
scoring_elements	0.61445
published_at	2026-06-13T12:55:00Z

value	0.00403
scoring_system	epss
scoring_elements	0.61437
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-30451

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/205115cca3d67594a12d0195c937da0e51eb494a

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/205115cca3d67594a12d0195c937da0e51eb494a

reference_url

https://github.com/TYPO3/typo3/commit/78fb9287a2f0487c39288070cb0493a5265f1789

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/78fb9287a2f0487c39288070cb0493a5265f1789

reference_url

https://github.com/TYPO3/typo3/commit/accf537c7379b4359bc0f957c4d0c07baddd710a

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/accf537c7379b4359bc0f957c4d0c07baddd710a

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-001

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2024-001

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-30451

reference_id

CVE-2023-30451

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-30451

reference_url

https://github.com/advisories/GHSA-w6x2-jg8h-p6mp

reference_id

GHSA-w6x2-jg8h-p6mp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w6x2-jg8h-p6mp

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-w6x2-jg8h-p6mp

reference_id

GHSA-w6x2-jg8h-p6mp

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-w6x2-jg8h-p6mp

fixed_packages

url pkg:composer/typo3/cms-core@12.4.11

purl pkg:composer/typo3/cms-core@12.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url pkg:composer/typo3/cms-core@13.0.1

purl pkg:composer/typo3/cms-core@13.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-fn5d-fhbq-yyhv

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

aliases CVE-2023-30451, GHSA-w6x2-jg8h-p6mp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-stvv-ndwu-nqer

url VCID-tyba-yxs8-7kgb

vulnerability_id VCID-tyba-yxs8-7kgb

summary TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23503

reference_id

reference_type

scores

value	0.00483
scoring_system	epss
scoring_elements	0.6578
published_at	2026-06-13T12:55:00Z

value	0.00483
scoring_system	epss
scoring_elements	0.65668
published_at	2026-06-11T12:55:00Z

value	0.00483
scoring_system	epss
scoring_elements	0.65765
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23503

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23503.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23503.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23503.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23503.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/1302e88565821f2159e08b5d818d28de17ecc830

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/1302e88565821f2159e08b5d818d28de17ecc830

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23503

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23503

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2022-015

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2022-015

reference_url

https://github.com/advisories/GHSA-c5wx-6c2c-f7rm

reference_id

GHSA-c5wx-6c2c-f7rm

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c5wx-6c2c-f7rm

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm

reference_id

GHSA-c5wx-6c2c-f7rm

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-18T18:23:57Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm

fixed_packages

url pkg:composer/typo3/cms-core@12.1.1

purl pkg:composer/typo3/cms-core@12.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-jtqp-g65r-93hs

vulnerability	VCID-p2gb-esw8-3ya7

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-wutq-k9ph-zyab

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.1.1

aliases CVE-2022-23503, GHSA-c5wx-6c2c-f7rm, GMS-2022-8132

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tyba-yxs8-7kgb

url VCID-u1bz-wj83-nbbt

vulnerability_id VCID-u1bz-wj83-nbbt

summary TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47939

reference_id

reference_type

scores

value	0.00129
scoring_system	epss
scoring_elements	0.31863
published_at	2026-06-11T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.32065
published_at	2026-06-13T12:55:00Z

value	0.00129
scoring_system	epss
scoring_elements	0.32049
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47939

reference_url

https://github.com/TYPO3-CMS/core

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core

reference_url

https://github.com/TYPO3-CMS/core/commit/c265beed6e2c01817c534a226e80e593400f8255

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core/commit/c265beed6e2c01817c534a226e80e593400f8255

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-47939

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-47939

reference_url	https://github.com/advisories/GHSA-9hq9-cr36-4wpj
reference_id	GHSA-9hq9-cr36-4wpj
reference_type
scores
url	https://github.com/advisories/GHSA-9hq9-cr36-4wpj

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj

reference_id

GHSA-9hq9-cr36-4wpj

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T14:08:07Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-014

reference_id

typo3-core-sa-2025-014

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-20T14:08:07Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-014

fixed_packages

url pkg:composer/typo3/cms-core@12.4.31

purl pkg:composer/typo3/cms-core@12.4.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.31

url pkg:composer/typo3/cms-core@13.4.12

purl pkg:composer/typo3/cms-core@13.4.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.12

aliases CVE-2025-47939, GHSA-9hq9-cr36-4wpj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u1bz-wj83-nbbt

url VCID-v1kq-a6wk-bka9

vulnerability_id VCID-v1kq-a6wk-bka9

summary TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23502

reference_id

reference_type

scores

value	0.00245
scoring_system	epss
scoring_elements	0.48179
published_at	2026-06-13T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.48024
published_at	2026-06-11T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.48162
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23502

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6c

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23502

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23502

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2022-014

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-core-sa-2022-014

reference_url

https://github.com/advisories/GHSA-mgj2-q8wp-29rr

reference_id

GHSA-mgj2-q8wp-29rr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mgj2-q8wp-29rr

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr

reference_id

GHSA-mgj2-q8wp-29rr

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T18:47:27Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr

fixed_packages

url pkg:composer/typo3/cms-core@12.1.1

purl pkg:composer/typo3/cms-core@12.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-jtqp-g65r-93hs

vulnerability	VCID-p2gb-esw8-3ya7

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-wutq-k9ph-zyab

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.1.1

aliases CVE-2022-23502, GHSA-mgj2-q8wp-29rr, GMS-2022-8135

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v1kq-a6wk-bka9

url VCID-v8fy-y9h5-y7fy

vulnerability_id VCID-v8fy-y9h5-y7fy

summary The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-49738

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09857
published_at	2026-06-11T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09906
published_at	2026-06-13T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09903
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-49738

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49738.yaml

reference_id

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49738.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-49738

reference_id

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-49738

reference_url

https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5

reference_id

150a983a5d687cedcfc33bbe9c335d9a13fd05e5

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:42:59Z/

url

https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5

reference_url

https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d

reference_id

44c2fa9807944136218a0842e3051c0a379a002d

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:42:59Z/

url

https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d

reference_url

https://github.com/advisories/GHSA-jf56-v8jc-jcc5

reference_id

GHSA-jf56-v8jc-jcc5

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jf56-v8jc-jcc5

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-016

reference_id

typo3-core-sa-2026-016

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-09T13:42:59Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-016

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-49738, GHSA-jf56-v8jc-jcc5

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v8fy-y9h5-y7fy

url VCID-vc1g-tqkt-w7gt

vulnerability_id VCID-vc1g-tqkt-w7gt

summary TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-25121

reference_id

reference_type

scores

value	0.003
scoring_system	epss
scoring_elements	0.53693
published_at	2026-06-11T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53836
published_at	2026-06-13T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53819
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-25121

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/38f0bf9a61e10365be26eb75bc23a81184dbed07

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/38f0bf9a61e10365be26eb75bc23a81184dbed07

reference_url

https://github.com/TYPO3/typo3/commit/71e652bf84b16fd3592205f61f36750ab03db74c

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/71e652bf84b16fd3592205f61f36750ab03db74c

reference_url

https://github.com/TYPO3/typo3/commit/b47b6ddf5a5f3f852c6e43f837360780c12e3c47

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/b47b6ddf5a5f3f852c6e43f837360780c12e3c47

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-25121

reference_id

CVE-2024-25121

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-25121

reference_url

https://github.com/advisories/GHSA-rj3x-wvc6-5j66

reference_id

GHSA-rj3x-wvc6-5j66

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rj3x-wvc6-5j66

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-rj3x-wvc6-5j66

reference_id

GHSA-rj3x-wvc6-5j66

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:07:53Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-rj3x-wvc6-5j66

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-006

reference_id

typo3-core-sa-2024-006

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:07:53Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-006

fixed_packages

url pkg:composer/typo3/cms-core@12.4.11

purl pkg:composer/typo3/cms-core@12.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url pkg:composer/typo3/cms-core@13.0.1

purl pkg:composer/typo3/cms-core@13.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-fn5d-fhbq-yyhv

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

aliases CVE-2024-25121, GHSA-rj3x-wvc6-5j66

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vc1g-tqkt-w7gt

url VCID-ve54-aaqx-xkck

vulnerability_id VCID-ve54-aaqx-xkck

summary TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-22188

reference_id

reference_type

scores

value	0.00687
scoring_system	epss
scoring_elements	0.72301
published_at	2026-06-13T12:55:00Z

value	0.00687
scoring_system	epss
scoring_elements	0.72288
published_at	2026-06-12T12:55:00Z

value	0.00687
scoring_system	epss
scoring_elements	0.72205
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-22188

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed

reference_url

https://github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf

reference_url

https://github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4

reference_url

https://typo3.org/security/advisory/typo3-psa-2020-002

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-psa-2020-002

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-22188

reference_id

CVE-2024-22188

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-22188

reference_url

https://github.com/advisories/GHSA-5w2h-59j3-8x5w

reference_id

GHSA-5w2h-59j3-8x5w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5w2h-59j3-8x5w

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w

reference_id

GHSA-5w2h-59j3-8x5w

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-05T16:17:44Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-002

reference_id

typo3-core-sa-2024-002

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-05T16:17:44Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-002

fixed_packages

url pkg:composer/typo3/cms-core@12.4.11

purl pkg:composer/typo3/cms-core@12.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url pkg:composer/typo3/cms-core@13.0.1

purl pkg:composer/typo3/cms-core@13.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-fn5d-fhbq-yyhv

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

aliases CVE-2024-22188, GHSA-5w2h-59j3-8x5w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ve54-aaqx-xkck

url VCID-wutq-k9ph-zyab

vulnerability_id VCID-wutq-k9ph-zyab

summary TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-47127

reference_id

reference_type

scores

value	0.00181
scoring_system	epss
scoring_elements	0.39844
published_at	2026-06-12T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39868
published_at	2026-06-13T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39674
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-47127

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2023-47127.yaml

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2023-47127.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-47127

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-47127

reference_url

https://github.com/TYPO3/typo3/commit/535dfbdc54fd5362e0bc08d911db44eac7f64019

reference_id

535dfbdc54fd5362e0bc08d911db44eac7f64019

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:41:35Z/

url

https://github.com/TYPO3/typo3/commit/535dfbdc54fd5362e0bc08d911db44eac7f64019

reference_url

https://github.com/advisories/GHSA-3vmm-7h4j-69rm

reference_id

GHSA-3vmm-7h4j-69rm

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3vmm-7h4j-69rm

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3vmm-7h4j-69rm

reference_id

GHSA-3vmm-7h4j-69rm

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:41:35Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-3vmm-7h4j-69rm

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2023-006

reference_id

typo3-core-sa-2023-006

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T20:41:35Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2023-006

fixed_packages

url pkg:composer/typo3/cms-core@12.4.8

purl pkg:composer/typo3/cms-core@12.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-g6wm-gjsy-7fdt

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-sq7n-ehxa-rbb9

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-vc1g-tqkt-w7gt

vulnerability	VCID-ve54-aaqx-xkck

vulnerability	VCID-x2ne-qxnz-rkem

vulnerability	VCID-xbzy-s3xw-y7ey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.8

aliases CVE-2023-47127, GHSA-3vmm-7h4j-69rm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wutq-k9ph-zyab

url VCID-x2ne-qxnz-rkem

vulnerability_id VCID-x2ne-qxnz-rkem

summary TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-0859

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09365
published_at	2026-06-11T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14367
published_at	2026-06-13T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.14366
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-0859

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f

reference_id

3225d705080a1bde57a66689621c947da5a4782f

reference_type

scores

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T14:11:54Z/

url

https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f

reference_url

https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13

reference_id

722bf71c118b0a8e4f2c2494854437d846799a13

reference_type

scores

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T14:11:54Z/

url

https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-0859

reference_id

CVE-2026-0859

reference_type

scores

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-0859

reference_url

https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f

reference_id

e0f0ceee480c203fbb60b87454f5f193e541d27f

reference_type

scores

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T14:11:54Z/

url

https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f

reference_url

https://github.com/advisories/GHSA-7vp9-x248-9vr9

reference_id

GHSA-7vp9-x248-9vr9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7vp9-x248-9vr9

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-7vp9-x248-9vr9

reference_id

GHSA-7vp9-x248-9vr9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-7vp9-x248-9vr9

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-004

reference_id

typo3-core-sa-2026-004

reference_type

scores

value	5.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-13T14:11:54Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-004

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.41
purl	pkg:composer/typo3/cms-core@12.4.41
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.41

url	pkg:composer/typo3/cms-core@13.4.23
purl	pkg:composer/typo3/cms-core@13.4.23
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.23

url	pkg:composer/typo3/cms-core@14.0.2
purl	pkg:composer/typo3/cms-core@14.0.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.0.2

aliases CVE-2026-0859, GHSA-7vp9-x248-9vr9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x2ne-qxnz-rkem

url VCID-xbzy-s3xw-y7ey

vulnerability_id VCID-xbzy-s3xw-y7ey

summary TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-25119

reference_id

reference_type

scores

value	0.00291
scoring_system	epss
scoring_elements	0.52898
published_at	2026-06-11T12:55:00Z

value	0.00291
scoring_system	epss
scoring_elements	0.53042
published_at	2026-06-13T12:55:00Z

value	0.00291
scoring_system	epss
scoring_elements	0.53027
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-25119

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/commit/14d101359c71ee963cf51ad0c8ae777b7b9ec9a1

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/14d101359c71ee963cf51ad0c8ae777b7b9ec9a1

reference_url

https://github.com/TYPO3/typo3/commit/df486372ea56fac241d3c96ad43a7729fee64557

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/df486372ea56fac241d3c96ad43a7729fee64557

reference_url

https://github.com/TYPO3/typo3/commit/fa12667c046342ebfd9b159c646aeafdbc52fcfd

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/commit/fa12667c046342ebfd9b159c646aeafdbc52fcfd

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-25119

reference_id

CVE-2024-25119

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-25119

reference_url

https://github.com/advisories/GHSA-h47m-3f78-qp9g

reference_id

GHSA-h47m-3f78-qp9g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h47m-3f78-qp9g

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-h47m-3f78-qp9g

reference_id

GHSA-h47m-3f78-qp9g

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:01:19Z/

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-h47m-3f78-qp9g

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2024-004

reference_id

typo3-core-sa-2024-004

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:01:19Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2024-004

fixed_packages

url pkg:composer/typo3/cms-core@12.4.11

purl pkg:composer/typo3/cms-core@12.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url pkg:composer/typo3/cms-core@13.0.1

purl pkg:composer/typo3/cms-core@13.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4hp8-5qeb-wyam

vulnerability	VCID-9f74-pxxq-3qea

vulnerability	VCID-9fu7-2brx-j3az

vulnerability	VCID-9mh5-8n3y-93c8

vulnerability	VCID-ant9-spg8-1ug5

vulnerability	VCID-arjb-mbgt-97dh

vulnerability	VCID-fn5d-fhbq-yyhv

vulnerability	VCID-qnk5-9jfz-5bhh

vulnerability	VCID-rxu6-ccns-m3fk

vulnerability	VCID-u1bz-wj83-nbbt

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

aliases CVE-2024-25119, GHSA-h47m-3f78-qp9g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xbzy-s3xw-y7ey

url VCID-xt1y-ba2e-9ug3

vulnerability_id VCID-xt1y-ba2e-9ug3

summary Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-11607

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.11235
published_at	2026-06-11T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11295
published_at	2026-06-13T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.11304
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-11607

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-11607.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-11607.yaml

reference_url

https://github.com/TYPO3/typo3

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3

reference_url

https://github.com/TYPO3/typo3/security/advisories/GHSA-pjpj-v387-x4vq

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/typo3/security/advisories/GHSA-pjpj-v387-x4vq

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-11607

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-11607

reference_url

https://github.com/TYPO3/typo3/commit/040d50d082a01f9e8bd113effd91290a9bb3b69e

reference_id

040d50d082a01f9e8bd113effd91290a9bb3b69e

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-09T12:53:44Z/

url

https://github.com/TYPO3/typo3/commit/040d50d082a01f9e8bd113effd91290a9bb3b69e

reference_url

https://github.com/TYPO3/typo3/commit/50974c658f647f1aece347b5d6d5acc3c87f2dca

reference_id

50974c658f647f1aece347b5d6d5acc3c87f2dca

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-09T12:53:44Z/

url

https://github.com/TYPO3/typo3/commit/50974c658f647f1aece347b5d6d5acc3c87f2dca

reference_url

https://github.com/advisories/GHSA-pjpj-v387-x4vq

reference_id

GHSA-pjpj-v387-x4vq

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pjpj-v387-x4vq

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2026-019

reference_id

typo3-core-sa-2026-019

reference_type

scores

value	7.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-09T12:53:44Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2026-019

fixed_packages

url	pkg:composer/typo3/cms-core@12.4.46
purl	pkg:composer/typo3/cms-core@12.4.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.46

url	pkg:composer/typo3/cms-core@13.4.31
purl	pkg:composer/typo3/cms-core@13.4.31
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.31

url	pkg:composer/typo3/cms-core@14.3.3
purl	pkg:composer/typo3/cms-core@14.3.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@14.3.3

aliases CVE-2026-11607, GHSA-pjpj-v387-x4vq

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xt1y-ba2e-9ug3

url VCID-yu3u-zecv-2fa2

vulnerability_id VCID-yu3u-zecv-2fa2

summary Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59016

reference_id

reference_type

scores

value	0.00078
scoring_system	epss
scoring_elements	0.23401
published_at	2026-06-13T12:55:00Z

value	0.00078
scoring_system	epss
scoring_elements	0.23194
published_at	2026-06-11T12:55:00Z

value	0.00078
scoring_system	epss
scoring_elements	0.23389
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59016

reference_url

https://github.com/TYPO3-CMS/core

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core

reference_url

https://github.com/TYPO3-CMS/core/commit/e1e4380a2d8e72228c597403f0463c21d6e1b8d9

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3-CMS/core/commit/e1e4380a2d8e72228c597403f0463c21d6e1b8d9

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59016

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59016

reference_url	https://github.com/advisories/GHSA-cvm2-5f78-g9m8
reference_id	GHSA-cvm2-5f78-g9m8
reference_type
scores
url	https://github.com/advisories/GHSA-cvm2-5f78-g9m8

reference_url

https://typo3.org/security/advisory/typo3-core-sa-2025-020

reference_id

typo3-core-sa-2025-020

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T19:30:29Z/

url

https://typo3.org/security/advisory/typo3-core-sa-2025-020

fixed_packages

url pkg:composer/typo3/cms-core@12.4.37

purl pkg:composer/typo3/cms-core@12.4.37

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.37

url pkg:composer/typo3/cms-core@13.4.18

purl pkg:composer/typo3/cms-core@13.4.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-x2ne-qxnz-rkem

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.4.18

aliases CVE-2025-59016, GHSA-cvm2-5f78-g9m8

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yu3u-zecv-2fa2

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.0.0

Package Instance