Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

CVE-2026-49738— TYPO3 CMS - Broken Access Control in File Abstraction Layer

AI Predicted 8.1 Difficulty: Easy EPSS 0.36% · P27

Affected Version Matrix 5

VendorProductVersion RangeStatus
TYPO3TYPO3 CMS< 10.4.57affected
11.0.0< 11.5.51affected
12.0.0< 12.4.46affected
13.0.0< 13.4.31affected
14.0.0< 14.3.3affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-49738

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
TYPO3 CMS - Broken Access Control in File Abstraction Layer
Source: NVD (National Vulnerability Database)
Vulnerability Description
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
TYPO3 CMS 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
TYPO3 CMS是TYPO3开源的一个内容管理系统。 TYPO3 CMS 10.4.57之前版本、11.0.0至11.5.51版本、12.0.0至12.4.46版本、13.0.0至13.4.31版本和14.0.0至14.3.3版本存在路径遍历漏洞,该漏洞源于GeneralUtility::isAllowedAbsPath中的路径检查执行了纯字符串前缀比较而未要求目录分隔符边界,导致路径如/var/www/html-other/secret.yaml被错误接受为有效,具有文件抽象层访问权限的管理员用户能够
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
TYPO3TYPO3 CMS 0 ~ 10.4.57 -

II. Public POCs for CVE-2026-49738

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-49738

登录查看更多情报信息。

Patches & Fixes for CVE-2026-49738 (2)

Vendor Advisories for CVE-2026-49738 (1)

Same Patch Batch · TYPO3 · 2026-06-09 · 13 CVEs total

CVE-2026-47347TYPO3 CMS - Open Redirect in Core Utilities
CVE-2026-47349TYPO3 CMS - Broken Access Control in Recycler
CVE-2026-47350TYPO3 CMS - Broken Access Control in DataHandler
CVE-2026-47348TYPO3 CMS - Cross-Site Scripting in Indexed Search
CVE-2026-47352TYPO3 CMS - Broken Access Control in Backend API
CVE-2026-47346TYPO3 CMS - Broken Access Control in Form Framework
CVE-2026-47351TYPO3 CMS - Broken Access Control in Clipboard
CVE-2026-47343TYPO3 CMS - Destructive Actions on File Mount Folders
CVE-2026-11607TYPO3 CMS - Broken Access Control in Form Framework
CVE-2026-49742TYPO3 CMS - Broken Access Control in Media Module
CVE-2026-49740TYPO3 CMS - Insecure Deserialization in Core API
CVE-2026-49741TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework

IV. Related Vulnerabilities

Same product: TYPO3 CMS
Same vendor: TYPO3
Same weakness: CWE-22

V. Comments for CVE-2026-49738

No comments yet

Leave a comment