PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49738 TYPO3 CVE debrief

A vulnerability in TYPO3 CMS, tracked as CVE-2026-49738, allows administrator users with access to the File Abstraction Layer to create new file storage definitions pointing to directories outside the project root. This is possible due to a flawed path allowance check in GeneralUtility::isAllowedAbsPath(), which performs a plain string prefix comparison without requiring a directory separator boundary. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3.

Vendor
TYPO3
Product
TYPO3 CMS
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Administrators and users of TYPO3 CMS, especially those with administrator privileges and access to the File Abstraction Layer, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The path allowance check in GeneralUtility::isAllowedAbsPath() is vulnerable to a path traversal attack. The check performs a plain string prefix comparison without requiring a directory separator boundary. This allows an attacker to create file storage definitions pointing to directories outside the project root.

Defensive priority

Low

Recommended defensive actions

  • Upgrade to a patched version of TYPO3 CMS (10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3, or later).
  • Restrict access to the File Abstraction Layer to prevent administrator users from creating new file storage definitions.

Evidence notes

The CVE-2026-49738 vulnerability has a CVSS score of 2.1 and is classified as LOW severity. The vulnerability was published on June 9, 2026, and last modified on the same day.

Official resources

CVE-2026-49738 was published on 2026-06-09T11:16:53.247Z and last modified on 2026-06-09T13:46:50.540Z.