PatchSiren cyber security CVE debrief

CVE-2016-5091 Typo3 CVE debrief

CVE-2016-5091 affects TYPO3 Extbase and is rated high severity by NVD. The issue can let a remote attacker obtain sensitive information and, in some cases, possibly execute arbitrary code through a crafted Extbase action. The source set shows the vendor and mailing-list references in May 2016, while the CVE record itself was published on 2017-01-23.

Vendor: Typo3
Product: CVE-2016-5091
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

TYPO3 administrators, application owners, and developers who run or maintain affected TYPO3 installations should treat this as important. Any team operating public-facing TYPO3 sites or custom extensions that rely on Extbase should verify patch status and version exposure.

Technical summary

The NVD record describes a network-reachable flaw in TYPO3 Extbase with no privileges and no user interaction required, though exploitation complexity is listed as high. Impact is recorded as high for confidentiality, integrity, and availability in the CVSS 3.0 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). NVD also maps the weakness to CWE-254. The affected versions listed in the source set include TYPO3 4.3.0 through 6.2.23, the TYPO3 7.x branch up to 7.6.8, and 8.1.1.

Defensive priority

High. Patch affected TYPO3 installations promptly, especially systems exposed to the network, because the potential impact includes sensitive-data exposure and possible code execution. Prioritize verification of all deployed TYPO3 versions against the vendor bulletin and upgrade any affected branches to the fixed release.

Recommended defensive actions

Upgrade TYPO3 instances running 4.3.0 through 6.2.23 to 6.2.24 or later.
Upgrade TYPO3 7.x installations to 7.6.8 or later.
Check any deployment on 8.1.1 against the TYPO3 security bulletin and apply the vendor-fixed release for that branch.
Review exposed Extbase actions and custom extensions for unexpected routing or handler behavior until patching is complete.
Confirm all production, staging, and legacy instances are inventoried so no affected TYPO3 release is missed.
Monitor TYPO3 vendor advisories and NVD updates for any follow-up guidance.

Evidence notes

This debrief is based only on the supplied NVD record and the linked official/vendor references. The NVD metadata supplies the impact statement, CVSS 3.0 vector, and affected-version criteria, and it lists CWE-254. The reference set includes two Openwall oss-security mailing-list items dated 2016-05-25 and 2016-05-26 plus the TYPO3 Core security bulletin SA-2016-013. No KEV entry or ransomware-campaign flag is present in the supplied data.

Official resources

CVE-2016-5091 CVE record
CVE.org
CVE-2016-5091 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

Vendor and mailing-list references in the supplied corpus are dated May 2016, indicating public disclosure around that time. The CVE record was published on 2017-01-23 and last modified on 2026-05-13. No KEV listing is present in the source