Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

TYPO3 — Vulnerabilities & Security Advisories 141

Browse all 141 CVE security advisories affecting TYPO3. AI-powered Chinese analysis, POCs, and references for each vulnerability.

TYPO3 is an open-source enterprise content management system primarily designed for large-scale websites and complex digital platforms. Historically, its extensive feature set and modular architecture have introduced a significant attack surface, resulting in 118 recorded Common Vulnerabilities and Exposures. The most prevalent vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation or improper access controls within extensions. While the core framework has seen improved security practices in recent versions, legacy installations remain particularly susceptible to exploitation. Notable incidents have frequently involved unpatched third-party extensions rather than core flaws, highlighting the critical importance of rigorous extension auditing. Security advisories are regularly issued by the TYPO3 Security Team, urging administrators to maintain strict update protocols to mitigate these persistent risks associated with its broad ecosystem.

Top products by TYPO3: TYPO3 TYPO3 CMS TYPO3.CMS html-sanitizer Extension "Faceted Search" ns backup extension HTML Sanitizer Extension "Mailqueue" Fluid sr feuser register extension Extension "Redirect Tabs" Extension "Address List" Extension "Site Crawler" Extension "News system" Extension "Frontend User Registration" Extension "Content Element Selector" oidc Extension "E-Mail MFA Provider" femanager extension Extension "Modules" Extension "Form to Database" (form_to_database) Extension "TYPO3 Backup Plus" Extension "femanager" Extension "powermail" cs seo extension reint downloadmanager extension
CVE IDTitleCVSSSeverityPublished
CVE-2026-49742 TYPO3 CMS - Broken Access Control in Media Module — TYPO3 CMSCWE-22--2026-06-09
CVE-2026-49741 TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-49740 TYPO3 CMS - Insecure Deserialization in Core API — TYPO3 CMSCWE-502--2026-06-09
CVE-2026-49738 TYPO3 CMS - Broken Access Control in File Abstraction Layer — TYPO3 CMSCWE-22--2026-06-09
CVE-2026-47352 TYPO3 CMS - Broken Access Control in Backend API — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-47351 TYPO3 CMS - Broken Access Control in Clipboard — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-47350 TYPO3 CMS - Broken Access Control in DataHandler — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-47349 TYPO3 CMS - Broken Access Control in Recycler — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-47348 TYPO3 CMS - Cross-Site Scripting in Indexed Search — TYPO3 CMSCWE-79--2026-06-09
CVE-2026-47347 TYPO3 CMS - Open Redirect in Core Utilities — TYPO3 CMSCWE-601--2026-06-09
CVE-2026-47346 TYPO3 CMS - Broken Access Control in Form Framework — TYPO3 CMSCWE-178--2026-06-09
CVE-2026-47343 TYPO3 CMS - Destructive Actions on File Mount Folders — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-11607 TYPO3 CMS - Broken Access Control in Form Framework — TYPO3 CMSCWE-862--2026-06-09
CVE-2026-47345 TYPO3 HTML Sanitizer allows Cross-Site Scripting — HTML SanitizerCWE-79--2026-06-08
CVE-2026-47344 TYPO3 HTML Sanitizer allows Cross-Site Scripting — HTML SanitizerCWE-79--2026-06-08
CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector) — Extension "Content Element Selector"CWE-502--2026-05-19
CVE-2026-8827 SQL Injection in extension "Address List" (tt_address) — Extension "Address List"CWE-89--2026-05-19
CVE-2026-46724 Path Traversal in extension "Faceted Search" (ke_search) — Extension "Faceted Search"CWE-22--2026-05-19
CVE-2026-46723 Information Disclosure in extension "Faceted Search" (ke_search) — Extension "Faceted Search"CWE-668--2026-05-19
CVE-2026-46722 XML External Entity Injection in extension "Faceted Search" (ke_search) — Extension "Faceted Search"CWE-611--2026-05-19
CVE-2026-8726 SQL Injection in extension "News system" (news) — Extension "News system"CWE-89--2026-05-19
CVE-2026-46721 Broken Access Control in extension "Frontend User Registration" (sf_register) — Extension "Frontend User Registration"CWE-915--2026-05-19
CVE-2026-8727 Remote Code Execution in extension "Site Crawler" (crawler) — Extension "Site Crawler"CWE-502--2026-05-19
CVE-2026-6553 TYPO3 CMS Stores Cleartext Password in User Settings Module — TYPO3 CMSCWE-312 6.5AIMediumAI2026-04-21
CVE-2026-4208 Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) — Extension "E-Mail MFA Provider"CWE-639 8.1AIHighAI2026-03-17
CVE-2026-4202 Broken Access Control in extension "Redirect Tab" — Extension "Redirect Tabs"CWE-862 5.4AIMediumAI2026-03-17
CVE-2026-1323 Insecure Deserialization in extension "Mailqueue" (mailqueue) — Extension "Mailqueue"CWE-502 8.8AIHighAI2026-03-17
CVE-2026-0895 Insecure Deserialization in extension "Mailqueue" (mailqueue) — Extension "Mailqueue"CWE-502 9.8AICriticalAI2026-01-20
CVE-2026-0859 TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool — TYPO3 CMSCWE-502 7.8AIHighAI2026-01-13
CVE-2025-59022 TYPO3 CMS Allows Broken Access Control in Recycler Module — TYPO3 CMSCWE-862 8.1AIHighAI2026-01-13

This page lists every published CVE security advisory associated with TYPO3. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.