Vulnerability-Lookup

CVE-2025-59022 (GCVE-0-2025-59022)

Vulnerability from cvelistv5 – Published: 2026-01-13 11:53 – Updated: 2026-01-13 14:21

Title

TYPO3 CMS Allows Broken Access Control in Recycler Module

Summary

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-862 - Missing Authorization

Assigner

TYPO3

References

URL

Tags

	https://typo3.org/security/advisory/typo3-core-sa…	vendor-advisory
	https://github.com/TYPO3/typo3/commit/336d6f16545…	patch
	https://github.com/TYPO3/typo3/commit/efb9528f988…	patch
	https://github.com/TYPO3/typo3/commit/a6604db6649…	patch

Impacted products

	Vendor	Product	Version
	TYPO3	TYPO3 CMS	Affected: 10.0.0 , < 10.4.55 (semver) Affected: 11.0.0 , < 11.5.49 (semver) Affected: 12.0.0 , < 12.4.41 (semver) Affected: 13.0.0 , < 13.4.23 (semver) Affected: 14.0.0 , < 14.0.2 (semver)

Credits

Sven Jürgens Daniel Windloff Elias Häußler

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59022",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T14:19:35.396050Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T14:21:59.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Recycler"
          ],
          "packageName": "typo3/cms-recycler",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "10.4.55",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.49",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.41",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.23",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.0.2",
              "status": "affected",
              "version": "14.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.4.55",
                  "versionStartIncluding": "10.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "11.5.49",
                  "versionStartIncluding": "11.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "12.4.41",
                  "versionStartIncluding": "12.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "13.4.23",
                  "versionStartIncluding": "13.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "14.0.2",
                  "versionStartIncluding": "14.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Sven J\u00fcrgens"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Daniel Windloff"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Elias H\u00e4u\u00dfler"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the \u003ccode\u003eTCA\u003c/code\u003e - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1."
            }
          ],
          "value": "Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T11:53:45.184Z",
        "orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "shortName": "TYPO3"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-003"
        },
        {
          "name": "Git commit of main branch",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20"
        },
        {
          "name": "Git commit of 13.4 branch",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3"
        },
        {
          "name": "Git commit of 12.4 branch",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "TYPO3 CMS Allows Broken Access Control in Recycler Module",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
    "assignerShortName": "TYPO3",
    "cveId": "CVE-2025-59022",
    "datePublished": "2026-01-13T11:53:45.184Z",
    "dateReserved": "2025-09-07T19:01:20.436Z",
    "dateUpdated": "2026-01-13T14:21:59.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59022\",\"sourceIdentifier\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"published\":\"2026-01-13T12:15:50.237\",\"lastModified\":\"2026-01-14T19:07:07.353\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.4.55\",\"matchCriteriaId\":\"1F66D2E5-38C1-4708-BBEA-6963B2AFEA8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.5.49\",\"matchCriteriaId\":\"9E718BBF-B384-4223-A53D-528F77E17DC2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.4.41\",\"matchCriteriaId\":\"D330992D-8C99-458A-A139-47407B4BBB66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"13.0.0\",\"versionEndExcluding\":\"13.4.23\",\"matchCriteriaId\":\"AA2179C6-E438-4413-A717-9112618BA6CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndExcluding\":\"14.0.2\",\"matchCriteriaId\":\"310C5FCB-6F96-4409-BB9A-E582E18E067A\"}]}]}],\"references\":[{\"url\":\"https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"tags\":[\"Patch\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2026-003\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59022\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-13T14:19:35.396050Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-13T14:21:56.579Z\"}}], \"cna\": {\"title\": \"TYPO3 CMS Allows Broken Access Control in Recycler Module\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Sven J\\u00fcrgens\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Daniel Windloff\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Elias H\\u00e4u\\u00dfler\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/TYPO3/typo3\", \"vendor\": \"TYPO3\", \"modules\": [\"Recycler\"], \"product\": \"TYPO3 CMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.0.0\", \"lessThan\": \"10.4.55\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"11.0.0\", \"lessThan\": \"11.5.49\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"lessThan\": \"12.4.41\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"13.0.0\", \"lessThan\": \"13.4.23\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"14.0.0\", \"lessThan\": \"14.0.2\", \"versionType\": \"semver\"}], \"packageName\": \"typo3/cms-recycler\", \"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2026-003\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20\", \"name\": \"Git commit of main branch\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3\", \"name\": \"Git commit of 13.4 branch\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae\", \"name\": \"Git commit of 12.4 branch\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the \u003ccode\u003eTCA\u003c/code\u003e - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"10.4.55\", \"versionStartIncluding\": \"10.0.0\"}, {\"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"11.5.49\", \"versionStartIncluding\": \"11.0.0\"}, {\"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"12.4.41\", \"versionStartIncluding\": \"12.0.0\"}, {\"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"13.4.23\", \"versionStartIncluding\": \"13.0.0\"}, {\"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"14.0.2\", \"versionStartIncluding\": \"14.0.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"f4fb688c-4412-4426-b4b8-421ecf27b14a\", \"shortName\": \"TYPO3\", \"dateUpdated\": \"2026-01-13T11:53:45.184Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59022\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-13T14:21:59.794Z\", \"dateReserved\": \"2025-09-07T19:01:20.436Z\", \"assignerOrgId\": \"f4fb688c-4412-4426-b4b8-421ecf27b14a\", \"datePublished\": \"2026-01-13T11:53:45.184Z\", \"assignerShortName\": \"TYPO3\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0037

Vulnerability from certfr_avis - Published: 2026-01-14 - Updated: 2026-01-14

De multiples vulnérabilités ont été découvertes dans Typo3. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Typo3	Typo3	typo3/cms-backend versions antérieures à 14.0.2 pour composer
Typo3	Typo3	typo3/cms-backend versions antérieures à 12.4.41 pour composer
Typo3	Typo3	typo3/cms-core versions antérieures à 13.4.23 pour composer
Typo3	Typo3	typo3/cms-recycler versions antérieures à 10.4.55 pour composer
Typo3	Typo3	typo3/cms-backend versions antérieures à 13.4.23 pour composer
Typo3	Typo3	typo3/cms-redirects versions antérieures à 12.4.41 pour composer
Typo3	Typo3	typo3/cms-recycler versions antérieures à 11.5.49 pour composer
Typo3	Typo3	typo3/cms-core versions antérieures à 11.5.49 pour composer
Typo3	Typo3	typo3/cms-backend versions antérieures à 11.5.49 pour composer
Typo3	Typo3	typo3/cms-recycler versions antérieures à 14.0.2 pour composer
Typo3	Typo3	typo3/cms-core versions antérieures à 10.4.55 pour composer
Typo3	Typo3	typo3/cms-core versions antérieures à 12.4.41 pour composer
Typo3	Typo3	typo3/cms-redirects versions antérieures à 10.4.55 pour composer
Typo3	Typo3	typo3/cms-core versions antérieures à 14.0.2 pour composer
Typo3	Typo3	typo3/cms-backend versions antérieures à 10.4.55 pour composer
Typo3	Typo3	typo3/cms-recycler versions antérieures à 13.4.23 pour composer
Typo3	Typo3	typo3/cms-redirects versions antérieures à 13.4.23 pour composer
Typo3	Typo3	typo3/cms-redirects versions antérieures à 14.0.2 pour composer
Typo3	Typo3	typo3/cms-redirects versions antérieures à 11.5.49 pour composer
Typo3	Typo3	typo3/cms-recycler versions antérieures à 12.4.41 pour composer

References

Title

Publication Time

NCSC-2026-0018

Vulnerability from csaf_ncscnl - Published: 2026-01-16 10:11 - Updated: 2026-01-16 10:11

Summary

Kwetsbaarheden verholpen in TYPO3 CMS

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

TYPO3 heeft kwetsbaarheden verholpen in TYPO3 CMS (Specifiek voor bepaalde versies).

Interpretaties

De kwetsbaarheden in TYPO3 CMS stellen aanvallers in staat om veldniveau-toegangscontroles te omzeilen, ongeautoriseerde gegevens in te voegen in beperkte databasevelden, en om redirectrecords te manipuleren zonder enige restricties. Daarnaast kunnen backend-gebruikers met toegang tot de recycler-module gegevens verwijderen uit elke database tabel zonder de noodzakelijke machtigingen. Ook kunnen lokale gebruikers met schrijftoegang tot de mail-file spool directory willekeurige PHP-code uitvoeren via onveilige deserialisatie. Deze kwetsbaarheden kunnen leiden tot ernstige risico's voor de integriteit van gegevens en de beschikbaarheid van de site.

Oplossingen

TYPO3 heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-502

Deserialization of Untrusted Data

CWE-862

Missing Authorization

CWE-863

Incorrect Authorization

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "TYPO3 heeft kwetsbaarheden verholpen in TYPO3 CMS (Specifiek voor bepaalde versies).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in TYPO3 CMS stellen aanvallers in staat om veldniveau-toegangscontroles te omzeilen, ongeautoriseerde gegevens in te voegen in beperkte databasevelden, en om redirectrecords te manipuleren zonder enige restricties. Daarnaast kunnen backend-gebruikers met toegang tot de recycler-module gegevens verwijderen uit elke database tabel zonder de noodzakelijke machtigingen. Ook kunnen lokale gebruikers met schrijftoegang tot de mail-file spool directory willekeurige PHP-code uitvoeren via onveilige deserialisatie. Deze kwetsbaarheden kunnen leiden tot ernstige risico\u0027s voor de integriteit van gegevens en de beschikbaarheid van de site.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "TYPO3 heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      },
      {
        "category": "general",
        "text": "Missing Authorization",
        "title": "CWE-862"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-001"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-002"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-003"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004"
      }
    ],
    "title": "Kwetsbaarheden verholpen in TYPO3 CMS",
    "tracking": {
      "current_release_date": "2026-01-16T10:11:37.524826Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0018",
      "initial_release_date": "2026-01-16T10:11:37.524826Z",
      "revision_history": [
        {
          "date": "2026-01-16T10:11:37.524826Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "CMS"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Core"
          }
        ],
        "category": "vendor",
        "name": "TYPO3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-59020",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "description",
          "text": "TYPO3 CMS is vulnerable due to the `defVals` parameter, which allows attackers to bypass field-level access checks and insert unauthorized data into restricted database fields.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59020 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59020.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-59020"
    },
    {
      "cve": "CVE-2025-59021",
      "cwe": {
        "id": "CWE-862",
        "name": "Missing Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authorization",
          "title": "CWE-862"
        },
        {
          "category": "description",
          "text": "A vulnerability in TYPO3 allowed unauthorized backend users to manipulate redirect records, posing security risks and enabling potential phishing attacks, which has been addressed in updated versions.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59021 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59021.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-59021"
    },
    {
      "cve": "CVE-2025-59022",
      "cwe": {
        "id": "CWE-862",
        "name": "Missing Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authorization",
          "title": "CWE-862"
        },
        {
          "category": "description",
          "text": "A security vulnerability in specific versions of TYPO3 CMS allowed unauthorized backend users to delete data from any database table via the recycler module, compromising critical site data and availability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59022 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59022.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-59022"
    },
    {
      "cve": "CVE-2026-0859",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "A vulnerability in TYPO3 allows local users with write access to execute arbitrary PHP code through insecure deserialization in multiple versions of TYPO3 when the mailer:spool:send command is executed.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-0859 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0859.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2026-0859"
    }
  ]
}

GHSA-P52W-7RHW-9M67

Vulnerability from github – Published: 2026-01-13 20:37 – Updated: 2026-01-13 20:37

Summary

TYPO3 CMS Allows Broken Access Control in Recycler Module

Details

Problem

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Sven Jürgens and Daniel Windloff for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

References

TYPO3-CORE-SA-2026-003

Severity ?

7.1 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 14.0.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.4.22"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.4.40"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.49"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.4.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:37:44Z",
    "nvd_published_at": "2026-01-13T12:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Problem\nBackend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable.\n\n### Solution\nUpdate to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.\n\n### Credits\nThanks to Sven J\u00fcrgens and Daniel Windloff for reporting this issue, and to TYPO3 security team member Elias H\u00e4u\u00dfler for fixing it.\n\n### References\n* [TYPO3-CORE-SA-2026-003](https://typo3.org/security/advisory/typo3-core-sa-2026-003)",
  "id": "GHSA-p52w-7rhw-9m67",
  "modified": "2026-01-13T20:37:44Z",
  "published": "2026-01-13T20:37:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-p52w-7rhw-9m67"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/typo3"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 CMS Allows Broken Access Control in Recycler Module"
}

FKIE_CVE-2025-59022

Vulnerability from fkie_nvd - Published: 2026-01-13 12:15 - Updated: 2026-01-14 19:07

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

URL	Tags
f4fb688c-4412-4426-b4b8-421ecf27b14a	https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20	Patch
f4fb688c-4412-4426-b4b8-421ecf27b14a	https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae	Patch
f4fb688c-4412-4426-b4b8-421ecf27b14a	https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3	Patch
f4fb688c-4412-4426-b4b8-421ecf27b14a	https://typo3.org/security/advisory/typo3-core-sa-2026-003	Vendor Advisory

Impacted products

Vendor	Product	Version
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F66D2E5-38C1-4708-BBEA-6963B2AFEA8B",
              "versionEndExcluding": "10.4.55",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E718BBF-B384-4223-A53D-528F77E17DC2",
              "versionEndExcluding": "11.5.49",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D330992D-8C99-458A-A139-47407B4BBB66",
              "versionEndExcluding": "12.4.41",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA2179C6-E438-4413-A717-9112618BA6CF",
              "versionEndExcluding": "13.4.23",
              "versionStartIncluding": "13.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "310C5FCB-6F96-4409-BB9A-E582E18E067A",
              "versionEndExcluding": "14.0.2",
              "versionStartIncluding": "14.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1."
    }
  ],
  "id": "CVE-2025-59022",
  "lastModified": "2026-01-14T19:07:07.353",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-13T12:15:50.237",
  "references": [
    {
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20"
    },
    {
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae"
    },
    {
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3"
    },
    {
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-003"
    }
  ],
  "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-59022 (GCVE-0-2025-59022)

CERTFR-2026-AVI-0037

Solutions

NCSC-2026-0018

GHSA-P52W-7RHW-9M67

Problem

Solution

Credits

References

FKIE_CVE-2025-59022

Tags

Sightings

Nomenclature