Skip to main content

TYPO3 CMS CVE-2026-47349

| EUVD-2026-35396 MEDIUM
Missing Authorization (CWE-862)
2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a GHSA-f34x-rx2w-7pm3
Authentication Bypass
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 11:38 vuln.today
Analysis Generated
Jun 09, 2026 - 11:38 vuln.today

DescriptionCVE.org

Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

AnalysisAI

Insufficient authorization in TYPO3 CMS's Recycler module allows authenticated backend users to restore soft-deleted records on pages or database tables they are not permitted to modify, resulting in unauthorized integrity impact across the content management system. Affected are TYPO3 CMS versions before 10.4.57 and multiple branches through 14.3.3, with fixes delivered via two upstream commits and documented under TYPO3-CORE-SA-2026-011. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to TYPO3 backend with low-privilege account
Delivery
Access Recycler module via granted backend group permission
Exploit
Enumerate soft-deleted records across restricted pages or tables
Execution
Issue undelete command via DataHandler
Persist
DataHandler skips table/page permission checks
Impact
Unauthorized records restored to live content tree
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must be an authenticated TYPO3 backend user (PR:L confirmed by CVSS vector) with access to the Recycler backend module (`mod.web_recycler`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) is consistent with the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid TYPO3 backend account - such as a low-privilege content editor - navigates to the Recycler module and identifies soft-deleted records belonging to pages or tables outside their normal write permissions. By triggering the undelete operation, the DataHandler restores those records without checking page-insert or table-modify permissions, allowing the attacker to reintroduce deleted content into restricted areas of the site. …
Remediation The primary fix is to upgrade TYPO3 CMS to a patched release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47349 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy