PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49742 TYPO3 CVE debrief

CVE-2026-49742 is a HIGH-severity vulnerability affecting TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. The issue allows backend users with file download permissions to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. The vulnerability has a CVSS score of 7.1 and is classified as CWE-22 and CWE-200.

Vendor
TYPO3
Product
TYPO3 CMS
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability exists in the file abstraction layer (FAL) of TYPO3 CMS, specifically in the Media Module. Backend users with file download permissions can exploit this vulnerability to download files from the fallback storage, potentially exposing sensitive files.

Defensive priority

HIGH

Recommended defensive actions

  • Update TYPO3 CMS to a version outside of the affected ranges (11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2).
  • Restrict file download permissions to only necessary users.
  • Monitor Media Module usage and logs for suspicious activity.

Evidence notes

The CVE-2026-49742 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49742) and has additional details on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49742).

Official resources

CVE-2026-49742 was published on 2026-06-09T11:16:53.650Z and modified on 2026-06-09T13:46:50.540Z.