Auth bypass in Typo3 Cms

CVE-2025-59020

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for w…

Vulnerability class: Broken Access Control

EPSS: 0.000 (2.6th percentile) — read the EPSS interpretation.

Affected products

Typo3 Cms — versions 10.0.0, 11.0.0, 12.0.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

typo3.org/security/advisory/typo3-core-sa-2026-001 (vendor-advisory)
Git commit of main branch (patch)
Git commit of 13.4 branch (patch)
Git commit of 12.4 branch (patch)