Search for vulnerabilities
Vulnerability details: VCID-a3y3-cwp9-zyd6
Vulnerability ID VCID-a3y3-cwp9-zyd6
Aliases CVE-2016-5091
GHSA-jxg5-35fj-ccwf
Summary Extbase for TYPO3 allows RCE Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-254 7PK - Security Features
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.02533 https://api.first.org/data/v1/epss?cve=CVE-2016-5091
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2016-5091
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2016-5091
cvssv3.1 8.1 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013
generic_textual HIGH https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013
cvssv3.1 8.1 http://www.openwall.com/lists/oss-security/2016/05/25/4
generic_textual HIGH http://www.openwall.com/lists/oss-security/2016/05/25/4
cvssv3.1 8.1 http://www.openwall.com/lists/oss-security/2016/05/26/2
generic_textual HIGH http://www.openwall.com/lists/oss-security/2016/05/26/2
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2016-5091
https://nvd.nist.gov/vuln/detail/CVE-2016-5091
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/
http://www.openwall.com/lists/oss-security/2016/05/25/4
http://www.openwall.com/lists/oss-security/2016/05/26/2
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-5091
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2016/05/25/4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2016/05/26/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.84768
EPSS Score 0.02533
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:29:53.378056+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jxg5-35fj-ccwf/GHSA-jxg5-35fj-ccwf.json 36.1.3