These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-49742 is a HIGH-severity vulnerability affecting TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. The issue allows backend users with file download permissions to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose [truncated]
CVE-2026-49741 is a high-severity vulnerability in TYPO3 CMS versions 14.0.0-14.3.3. Backend users with write access to the form_definition database table could directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations and re-enabling attack vectors originally [truncated]
CVE-2026-49740 is a PHP Object Injection vulnerability in TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry). The vulnerability allows an attacker with write access to the underlying storage backend (cache store or sys_registry database table) to inject a crafted serialized payload, potentially triggering PHP Object Injection. This could be exploited to achieve Remote Code [truncated]
A vulnerability in TYPO3 CMS, tracked as CVE-2026-49738, allows administrator users with access to the File Abstraction Layer to create new file storage definitions pointing to directories outside the project root. This is possible due to a flawed path allowance check in GeneralUtility::isAllowedAbsPath(), which performs a plain string prefix comparison without requiring a directory separator boundary. Th [truncated]
CVE-2026-47352 is a vulnerability in TYPO3 CMS that allows authenticated backend users to retrieve file metadata without proper permission checks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
CVE-2026-47351 is a medium-severity vulnerability in TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2. The issue allows backend users to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, potentially allowing users to gather information about records and files they are not authorized to view. The Common Vulnerability Scoring System (CVSS) score for this v [truncated]
A vulnerability in TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3 allows backend users to move records to a different page without having edit permissions on the source page. This issue has a CVSS score of 5.3 and is classified as MEDIUM severity.
CVE-2026-47349 is a vulnerability in TYPO3 CMS that allows backend users with access to the Recycler module to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3.
CVE-2026-47348 is a Cross-Site Scripting (XSS) vulnerability in TYPO3 CMS, a popular content management system. The vulnerability affects versions 13.0.0-13.4.30 and 14.0.0-14.3.2. Editors with access to create or modify page content could include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, t [truncated]
A medium-severity open redirect vulnerability, CVE-2026-47347, was found in TYPO3 CMS. The vulnerability occurs when applications use GeneralUtility::sanitizeLocalUrl to allow only local URLs, making them vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing atta [truncated]
CVE-2026-47346 is a high-severity vulnerability in TYPO3 CMS that allows backend users with file write permissions to upload malicious form definition files, potentially leading to arbitrary SQL statement execution and privilege escalation. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. The vulnerability has a CVSS score of 7.6 and [truncated]
CVE-2026-47343 is a high-severity vulnerability affecting TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2. The issue allows non-privileged backend users with file mount access to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictio [truncated]
CVE-2026-11607 is a high-severity vulnerability affecting TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3. The issue allows backend users with access to the Form Framework to use files not ending in .form.yaml as form definitions, which are processed without denying the incorrect file extension. This can be exploited to execute arbitrary SQL statements, [truncated]
CVE-2026-47344 is a low-severity vulnerability in typo3/html-sanitizer that allows bypassing the cross-site scripting prevention mechanism. The vulnerability occurs when ALLOW_INSECURE_RAW_TEXT is enabled, and whitespace-variant closing tags are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This vulnerability was published o [truncated]
A SQL injection vulnerability exists in the AddressRepository::getSqlQuery() method of a TYPO3 extension. The method constructs database queries without proper input sanitization. While the vulnerable method is not invoked within the extension itself—eliminating direct risk in default installations—custom extensions that call this method with untrusted input can expose sites to SQL injection attacks. The [truncated]
CVE-2026-8726 is a high-severity SQL injection vulnerability in a TYPO3 extension, published 2026-05-19. The flaw stems from improper sanitization of user input before use in database queries. An unauthenticated attacker can inject arbitrary SQL via a URL parameter on pages utilizing the 'Date Menu of news articles' plugin. Exploitation is contingent on two conditions: the plugin must be active, and the T [truncated]
CVE-2026-46725 describes a critical PHP object injection issue in a TYPO3-related extension. An attacker can supply a crafted cookie that is passed directly into PHP unserialize() without safe handling. If the affected content element is configured with Persistent Mode: Static, a remote unauthenticated attacker may be able to trigger code execution on the TYPO3 server. The vulnerability is rated CVSS 9.2 [truncated]
CVE-2026-46724 describes a path traversal weakness in a file indexer that fails to normalize its configured directory path. According to the NVD record, a backend user who already has permission to edit indexer configurations can use traversal sequences to point indexing at arbitrary locations on the server file system. The primary risk is unauthorized exposure of local files through the indexing workflow [truncated]
CVE-2026-46723 is a medium-severity information disclosure vulnerability in TYPO3's indexed search extension. The `additional_tables` configuration parameter in the page and tt_content indexers fails to validate table and field names, allowing a backend user with indexer configuration permissions to exfiltrate sensitive data from internal TYPO3 tables into the search index. Published on 2026-05-19, this i [truncated]
A medium-severity XML External Entity (XXE) vulnerability in the OOXML file indexer allows crafted .xlsx or .pptx documents to trigger local file disclosure or outbound HTTP requests, with retrieved content written to the search index. The vulnerability was published on 2026-05-19 and affects TYPO3 CMS based on the vendor security advisory reference. The CVSS 4.0 vector indicates network attack vector wit [truncated]
## Summary CVE-2026-46721 is a medium-severity authorization bypass vulnerability affecting TYPO3 CMS frontend user management. The create and edit flows fail to restrict which user properties may be submitted and do not enforce access control on frontend user group assignment. An attacker can exploit this by assigning arbitrary frontend user groups during account registration or modification, thereby gai [truncated]
CVE-2016-5091 affects TYPO3 Extbase and is rated high severity by NVD. The issue can let a remote attacker obtain sensitive information and, in some cases, possibly execute arbitrary code through a crafted Extbase action. The source set shows the vendor and mailing-list references in May 2016, while the CVE record itself was published on 2017-01-23.
CVE-2016-4056 is a cross-site scripting issue in the TYPO3 Backend component. The vulnerability affects TYPO3 6.2.x before 6.2.19 and can let a remote attacker inject arbitrary web script or HTML via the module parameter when creating a bookmark. Because the attack requires user interaction, the main risk is malicious code executing in an authenticated user’s browser session rather than direct server compromise.