Auth bypass in Typo3 Cms

CVE-2025-59022

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy cr…

Vulnerability class: Broken Access Control

EPSS: 0.000 (5.8th percentile) — read the EPSS interpretation.

Affected products

Typo3 Cms — versions 10.0.0, 11.0.0, 12.0.0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

typo3.org/security/advisory/typo3-core-sa-2026-003 (vendor-advisory)
Git commit of main branch (patch)
Git commit of 13.4 branch (patch)
Git commit of 12.4 branch (patch)