typo3/cms-core Security Advisories for v14.1.0 (13)
-
[HIGH] TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework
PKSA-2yr3-by9d-r1gh CVE-2026-11607 GHSA-pjpj-v387-x4vq
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-018: Insecure Deserialization in Core API
PKSA-q3vc-jr63-rrrj CVE-2026-49740 GHSA-c78m-c52x-jgwp
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-017: Privilege Escalation & SQL Injection in Form Framework
PKSA-hqhs-7j5f-td2d CVE-2026-49741 GHSA-jh32-v29g-68pq
Affected version: >=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer
PKSA-gj1k-954p-nhmk CVE-2026-49738 GHSA-jf56-v8jc-jcc5
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-015: Broken Access Control in Backend API
PKSA-gr4f-6g49-cg8v CVE-2026-47352 GHSA-2j54-93q2-3hjq
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-014: Broken Access Control in Clipboard
PKSA-32mm-z25f-2ysj CVE-2026-47351 GHSA-q93m-25xv-94hh
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module
PKSA-vbrn-fwpj-xmx5 CVE-2026-49742 GHSA-chm7-4vch-h8vr
Affected version: >=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-012: Broken Access Control in DataHandler
PKSA-vv7s-w171-wb2j CVE-2026-47350 GHSA-qcmw-6rm2-5x78
Affected version: >=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-011: Broken Access Control in Recycler
PKSA-bzt2-2962-49bj CVE-2026-47349 GHSA-f34x-rx2w-7pm3
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-010: Cross-Site Scripting in Indexed Search
PKSA-pg93-52nb-x8ym CVE-2026-47348 GHSA-cg75-qfg2-w9hj
Affected version: >=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS
PKSA-s3vj-chpj-8wrn CVE-2026-47347 GHSA-3p42-w5ch-gg42
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework
PKSA-6jfs-jhtj-72x7 CVE-2026-47346 GHSA-hwvq-2w67-rvxp
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer
PKSA-ghx2-mc2z-fx6x CVE-2026-47343 GHSA-3v8v-4wg6-r7qh
Affected version: <10.4.57|>=11.0.0,<11.5.51|>=12.0.0,<12.4.46|>=13.0.0,<13.4.31|>=14.0.0,<14.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories