Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-h958-d3pm-kfcs
Vulnerability ID VCID-h958-d3pm-kfcs
Aliases TYPO3-CORE-SA-2016-013
Summary Missing Access Check Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/TYPO3/TYPO3.CMS/commit/21ed4054212babb7ec75d80a24f95c6ba25bd2fb
https://github.com/TYPO3/TYPO3.CMS/commit/404f09d491c96b294ded5e2741277dfbeba92807
https://github.com/TYPO3/TYPO3.CMS/commit/c10db60dfc87c33542c418fa316754a5309c3e26
https://typo3.org/teamssecuritysecurity-bulletins/security-bulletins-single-view/article/missing-access-check-in-typo3-cms/
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:03.736106+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/TYPO3-CORE-SA-2016-013.yml 38.0.0