Aggregates CVE and security vulnerability intelligence across all TYPO3-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk sql injection and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-6553 | Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 7.3 | 0.17% | 2026-04-21 | 2026-05-05 |
| CVE-2026-0859 | TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.2 | 0.17% | 2026-01-13 | 2026-01-14 |
| CVE-2025-59022 | Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 7.1 | 0.38% | 2026-01-13 | 2026-01-14 |
| CVE-2025-59021 | Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.25% | 2026-01-13 | 2026-01-14 |
| CVE-2025-59020 | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.29% | 2026-01-13 | 2026-01-14 |
| CVE-2025-59019 | Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.21% | 2025-09-09 | 2025-09-26 |
| CVE-2025-59018 | Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 7.1 | 0.27% | 2025-09-09 | 2025-09-26 |
| CVE-2025-59017 | Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.28% | 2025-09-09 | 2025-09-10 |
| CVE-2025-59016 | Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.21% | 2025-09-09 | 2025-09-10 |
| CVE-2025-59015 | A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 6.3 | 0.17% | 2025-09-09 | 2025-09-10 |
| CVE-2025-59014 | An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.1 | 0.27% | 2025-09-09 | 2025-09-10 |
| CVE-2025-59013 | An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL. | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.17% | 2025-09-09 | 2025-09-10 |
| CVE-2025-7900 | The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 | f4fb688c-4412-4426-b4b8-421ecf27b14a | 5.3 | 0.20% | 2025-07-22 | 2025-10-07 |
| CVE-2025-47941 | TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend routes. Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after successful authentication. Users should update to TYPO3 version 12.4.31 L | [email protected] | 7.2 | 0.41% | 2025-05-20 | 2025-09-03 |
| CVE-2025-47940 | TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem. | [email protected] | 7.2 | 0.38% | 2025-05-20 | 2025-09-03 |
| CVE-2025-47939 | TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example | [email protected] | 5.4 | 0.16% | 2025-05-20 | 2025-09-03 |
| CVE-2025-47938 | TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unaut | [email protected] | 3.8 | 0.16% | 2025-05-20 | 2025-09-03 |
| CVE-2025-47937 | TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized | [email protected] | 3.7 | 0.25% | 2025-05-20 | 2025-09-03 |
| CVE-2025-47936 | TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An a | [email protected] | 3.3 | 0.17% | 2025-05-20 | 2025-09-03 |
| CVE-2024-55945 | TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session o | [email protected] | 4.3 | 0.22% | 2025-01-14 | 2025-08-26 |