Known Vulnerabilities for TYPO3 CMS by TYPO3

Listed below are 10 of the newest known vulnerabilities associated with "TYPO3 CMS" by "TYPO3".

These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.

Data on known vulnerable versions is also displayed based on information from known CPEs

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-49742 json Backend users with file download permissions were able to download files from the fallback storage of the file abstraction la... Not Provided 2026-06-09 2026-06-09
CVE-2026-49741 json Backend users with write access to the form_definition database table were able to directly create, update, or delete form de... Not Provided 2026-06-09 2026-06-09
CVE-2026-49740 json TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integri... Not Provided 2026-06-09 2026-06-09
CVE-2026-49738 json The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a... Not Provided 2026-06-09 2026-06-09
CVE-2026-47352 json Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission chec... Not Provided 2026-06-09 2026-06-09
CVE-2026-47351 json Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks,... Not Provided 2026-06-09 2026-06-09
CVE-2026-47350 json Backend users were able to move records to a different page without having edit permissions on the source page. This issue af... Not Provided 2026-06-09 2026-06-09
CVE-2026-47349 json Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were n... Not Provided 2026-06-09 2026-06-09
CVE-2026-47348 json Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the ... Not Provided 2026-06-09 2026-06-09
CVE-2026-47347 json Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if th... Not Provided 2026-06-09 2026-06-09
Results limited to 10 most recent vulnerabilities
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report