Typo3 Typo3 Cms
20 CVEs affecting Typo3 Typo3 Cms. Latest disclosed: 2026-04-21. Critical: 0, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-15098 | High | 8.8 | 2020-07-29 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an inte… |
CVE-2020-11067 | High | 8.8 | 2020-05-13 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure des… |
CVE-2020-11066 | High | 8.7 | 2020-05-13 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious u… |
CVE-2020-15099 | High | 8.1 | 2020-07-29 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages… |
CVE-2020-11069 | High | 8.0 | 2020-05-13 | In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-s… |
CVE-2026-6553 | High | 7.5 | 2026-04-21 | Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users dat… |
CVE-2020-11065 | Medium | 5.4 | 2020-05-13 | In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2, it has been discovered that link t… |
CVE-2020-11064 | Medium | 5.4 | 2020-05-13 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML pla… |
CVE-2020-11063 | Low | 3.7 | 2020-05-13 | In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. Th… |
CVE-2026-0859 | | 2026-01-13 | TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the m… | |
CVE-2025-59022 | | 2026-01-13 | Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had per… | |
CVE-2025-59021 | | 2026-01-13 | Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record with… | |
CVE-2025-59020 | | 2026-01-13 | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability t… | |
CVE-2025-59019 | | 2025-09-09 | Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclo… | |
CVE-2025-59018 | | 2025-09-09 | Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 all… | |
CVE-2025-59017 | | 2025-09-09 | Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allo… | |
CVE-2025-59016 | | 2025-09-09 | Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.3… | |
CVE-2025-59015 | | 2025-09-09 | A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing a… | |
CVE-2025-59014 | | 2025-09-09 | An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users t… | |
CVE-2025-59013 | | 2025-09-09 | An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.1… |