SB2026061963 - Multiple vulnerabilities in TYPO3
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-11607)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in Form Framework. A remote user can use specially crafted form definition files and gain elevated privileges on the target system.
2) Missing Authorization (CVE-ID: CVE-2026-47343)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in File Abstraction Layer. A remote user can perform write operations on folders representing the root of an active file mount.
3) Open redirect (CVE-ID: CVE-2026-47347)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in Core Utilities. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
4) Stored cross-site scripting (CVE-ID: CVE-2026-47348)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Indexed Search. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Missing Authorization (CVE-ID: CVE-2026-47349)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in Recycler. A remote user can restore soft-deleted records on pages or for tables they are not authorized to modify.
6) Missing Authorization (CVE-ID: CVE-2026-47350)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in DataHandler. A remote user can move records to a different page without having edit permissions on the source page.
7) Information disclosure (CVE-ID: CVE-2026-49742)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Clipboard. A remote user can insert arbitrary records and files into the TYPO3 clipboard and gain unauthorized access to sensitive information on the system.
8) Missing Authorization (CVE-ID: CVE-2026-47352)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in Backend API. A remote user can retrieve file metadata via several Backend API routes.
9) Path traversal (CVE-ID: CVE-2026-49738)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Core API within the GeneralUtility::isAllowedAbsPath() function. A remote administrator can send a specially crafted HTTP request and read or create arbitrary files on the system.
10) Deserialization of Untrusted Data (CVE-ID: CVE-2026-49740)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in Core API. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Missing Authorization (CVE-ID: CVE-2026-47346)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in Form Framework. A remote user can bypass the Form Framework's upload restriction and gain elevated privileges on the system.
12) Missing Authorization (CVE-ID: CVE-2026-49741)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks within DataHandler in Form Framework. A remote user can inject arbitrary form configurations and gain elevated privileges on the target system.
Remediation
Install update from vendor's website.
References
- https://typo3.org/security/advisory/typo3-core-sa-2026-019/
- https://typo3.org/security/advisory/typo3-core-sa-2026-007/
- https://typo3.org/security/advisory/typo3-core-sa-2026-009/
- https://typo3.org/security/advisory/typo3-core-sa-2026-010/
- https://typo3.org/security/advisory/typo3-core-sa-2026-011/
- https://typo3.org/security/advisory/typo3-core-sa-2026-012/
- https://typo3.org/security/advisory/typo3-core-sa-2026-014/
- https://typo3.org/security/advisory/typo3-core-sa-2026-015/
- https://typo3.org/security/advisory/typo3-core-sa-2026-016/
- https://typo3.org/security/advisory/typo3-core-sa-2026-018/
- https://typo3.org/security/advisory/typo3-core-sa-2026-008/
- https://typo3.org/security/advisory/typo3-core-sa-2026-017/