Filtered by vendor Typo3
Subscriptions
Total
531 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6553 | 1 Typo3 | 1 Typo3 | 2026-04-22 | N/A |
| Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0. | ||||
| CVE-2026-0859 | 1 Typo3 | 1 Typo3 | 2026-04-18 | 7.8 High |
| TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | ||||
| CVE-2026-0895 | 1 Typo3 | 1 Mailqueue | 2026-04-18 | N/A |
| The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . | ||||
| CVE-2006-0327 | 1 Typo3 | 1 Typo3 | 2026-04-16 | N/A |
| TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails. | ||||
| CVE-2005-4875 | 1 Typo3 | 1 Typo3 | 2026-04-16 | N/A |
| TYPO3 3.8.0 and earlier allows remote attackers to obtain sensitive information via a direct request to misc/phpcheck/, which invokes the phpinfo function and prints values of unspecified environment variables. | ||||
| CVE-2025-48200 | 1 Typo3 | 1 Sr Feuser Register Extension | 2026-04-15 | 10 Critical |
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. | ||||
| CVE-2024-38874 | 1 Typo3 | 1 Events2 | 2026-04-15 | 5.4 Medium |
| An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users. | ||||
| CVE-2025-9573 | 1 Typo3 | 1 Typo3 | 2026-04-15 | N/A |
| The ns_backup extension through 13.0.2 for TYPO3 allows command injection. | ||||
| CVE-2025-10316 | 1 Typo3 | 1 Typo3 | 2026-04-15 | N/A |
| The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2. | ||||
| CVE-2025-48205 | 1 Typo3 | 1 Sr Feuser Register Extension | 2026-04-15 | 8.6 High |
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | ||||
| CVE-2024-38873 | 1 Typo3 | 1 Friendlycaptcha Official | 2026-04-15 | 5.3 Medium |
| An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the captcha integration for the ext:form extension. | ||||
| CVE-2025-12998 | 1 Typo3 | 1 Typo3 | 2026-04-15 | N/A |
| Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5. | ||||
| CVE-2025-59020 | 1 Typo3 | 1 Typo3 | 2026-01-14 | 6.5 Medium |
| By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | ||||
| CVE-2025-59021 | 1 Typo3 | 1 Typo3 | 2026-01-14 | 6.4 Medium |
| Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | ||||
| CVE-2025-59022 | 1 Typo3 | 1 Typo3 | 2026-01-14 | 8.1 High |
| Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | ||||
| CVE-2025-7900 | 1 Typo3 | 1 Typo3 | 2025-10-07 | 6.5 Medium |
| The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 | ||||
| CVE-2025-59019 | 1 Typo3 | 1 Typo3 | 2025-09-26 | 4.3 Medium |
| Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them. | ||||
| CVE-2025-59018 | 1 Typo3 | 1 Typo3 | 2025-09-26 | 6.5 Medium |
| Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access. | ||||
| CVE-2024-22188 | 1 Typo3 | 1 Typo3 | 2025-09-15 | 7.2 High |
| TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1. | ||||
| CVE-2025-59017 | 1 Typo3 | 1 Typo3 | 2025-09-10 | 8.8 High |
| Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules. | ||||