typo3/cms-core Security Advisories for v13.4.8 (20)
-
[HIGH] TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework
PKSA-2yr3-by9d-r1gh CVE-2026-11607 GHSA-pjpj-v387-x4vq
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-018: Insecure Deserialization in Core API
PKSA-q3vc-jr63-rrrj CVE-2026-49740 GHSA-c78m-c52x-jgwp
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer
PKSA-gj1k-954p-nhmk CVE-2026-49738 GHSA-jf56-v8jc-jcc5
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-015: Broken Access Control in Backend API
PKSA-gr4f-6g49-cg8v CVE-2026-47352 GHSA-2j54-93q2-3hjq
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-014: Broken Access Control in Clipboard
PKSA-32mm-z25f-2ysj CVE-2026-47351 GHSA-q93m-25xv-94hh
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module
PKSA-vbrn-fwpj-xmx5 CVE-2026-49742 GHSA-chm7-4vch-h8vr
Affected version: >=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-012: Broken Access Control in DataHandler
PKSA-vv7s-w171-wb2j CVE-2026-47350 GHSA-qcmw-6rm2-5x78
Affected version: >=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler
PKSA-bzt2-2962-49bj CVE-2026-47349 GHSA-f34x-rx2w-7pm3
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-010: Cross-Site Scripting in Indexed Search
PKSA-pg93-52nb-x8ym CVE-2026-47348 GHSA-cg75-qfg2-w9hj
Affected version: >=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS
PKSA-s3vj-chpj-8wrn CVE-2026-47347 GHSA-3p42-w5ch-gg42
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework
PKSA-6jfs-jhtj-72x7 CVE-2026-47346 GHSA-hwvq-2w67-rvxp
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer
PKSA-ghx2-mc2z-fx6x CVE-2026-47343 GHSA-3v8v-4wg6-r7qh
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
PKSA-rtck-8z1q-gn5s CVE-2026-0859 GHSA-7vp9-x248-9vr9
Affected version: >=10.0.0,<=10.4.54|>=11.0.0,<=11.5.48|>=12.0.0,<=12.4.40|>=13.0.0,<=13.4.22|>=14.0.0,<=14.0.1
Reported by:
GitHub -
[MEDIUM] TYPO3 CMS exposes sensitive information in an error message
PKSA-ns26-fz7n-2jm8 CVE-2025-59016 GHSA-cvm2-5f78-g9m8
Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54|>=9.0.0,<9.5.55
Reported by:
GitHub -
[MEDIUM] TYPO3 CMS has an open‑redirect vulnerability
PKSA-pz1k-khnw-3j7j CVE-2025-59013 GHSA-72jf-5fg5-3cw3
Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37|>=11.0.0,<11.5.48|>=10.0.0,<10.4.54|>=9.0.0,<9.5.55
Reported by:
GitHub -
[MEDIUM] TYPO3 CMS uses insufficient entropy when generating passwords
PKSA-rwv7-ff55-f18g CVE-2025-59015 GHSA-p5jq-5383-qvc7
Affected version: >=13.0.0,<13.4.18|>=12.0.0,<12.4.37
Reported by:
GitHub -
[HIGH] TYPO3 Allows Privilege Escalation to System Maintainer
PKSA-2ssc-6m7w-s9xh CVE-2025-47940 GHSA-6frx-j292-c844
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.4.0,<=10.4.49
Reported by:
GitHub -
[MEDIUM] TYPO3 Allows Unrestricted File Upload in File Abstraction Layer
PKSA-q3vc-nbpk-d1gk CVE-2025-47939 GHSA-9hq9-cr36-4wpj
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Reported by:
GitHub -
[LOW] TYPO3 Unverified Password Change for Backend Users
PKSA-6d7x-2gs8-wr59 CVE-2025-47938 GHSA-3jrg-97f3-rqh9
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Reported by:
GitHub -
[LOW] TYPO3 Allows Information Disclosure via DBAL Restriction Handling
PKSA-b5m3-ttcx-cz18 CVE-2025-47937 GHSA-x8pv-fgxp-8v3x
Affected version: >=13.0.0,<=13.4.11|>=12.0.0,<=12.4.30|>=11.0.0,<=11.5.43|>=10.0.0,<=10.4.49|>=9.0.0,<=9.5.50
Reported by:
GitHub