Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cdjv-fp71-y3dv
Vulnerability ID VCID-cdjv-fp71-y3dv
Aliases CVE-2020-26229
GHSA-q9cp-mc96-m4w2
Summary XML External Entity in Dashboard Widget ### Problem It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with _libxml2_ version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed. ### Solution Update to TYPO3 version 10.4.10 that fixes the problem described.
Status Published
Exploitability 0.5
Weighted Severity 3.3
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-611 Improper Restriction of XML External Entity Reference
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
epss 0.0027 https://api.first.org/data/v1/epss?cve=CVE-2020-26229
cvssv3.1_qr LOW https://github.com/advisories/GHSA-q9cp-mc96-m4w2
cvssv3.1 3.7 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml
generic_textual LOW https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml
cvssv3.1 3.7 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml
generic_textual LOW https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml
cvssv3.1 3.7 https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
cvssv3.1_qr LOW https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
generic_textual LOW https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
cvssv3.1 3.7 https://nvd.nist.gov/vuln/detail/CVE-2020-26229
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2020-26229
cvssv3.1 3.7 https://typo3.org/security/advisory/typo3-core-sa-2020-012
generic_textual LOW https://typo3.org/security/advisory/typo3-core-sa-2020-012
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-26229
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml
https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
https://nvd.nist.gov/vuln/detail/CVE-2020-26229
https://typo3.org/security/advisory/typo3-core-sa-2020-012
GHSA-q9cp-mc96-m4w2 https://github.com/advisories/GHSA-q9cp-mc96-m4w2
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L Found at https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26229
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L Found at https://typo3.org/security/advisory/typo3-core-sa-2020-012
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.50431
EPSS Score 0.0027
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:00:17.576978+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-q9cp-mc96-m4w2/GHSA-q9cp-mc96-m4w2.json 38.0.0