PatchSiren cyber security CVE debrief
CVE-2026-47352 TYPO3 CVE debrief
CVE-2026-47352 is a vulnerability in TYPO3 CMS that allows authenticated backend users to retrieve file metadata without proper permission checks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
- Vendor
- TYPO3
- Product
- TYPO3 CMS
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of TYPO3 CMS, especially those with authenticated backend users, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a patched version of TYPO3 CMS (10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3 or later).
- Review and adjust permission checks for Backend API routes to ensure proper access control.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and affected versions.
Official resources
-
CVE-2026-47352 CVE record
CVE.org
-
CVE-2026-47352 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
CVE-2026-47352 was published on 2026-06-09T11:16:53.120Z and modified on 2026-06-09T13:46:50.540Z.