Skip to main content

TYPO3 CMS CVE-2026-49742

| EUVDEUVD-2026-35403 HIGH
Path Traversal (CWE-22)
2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a GHSA-chm7-4vch-h8vr
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 11:35 vuln.today
Analysis Generated
Jun 09, 2026 - 11:35 vuln.today

DescriptionCVE.org

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

AnalysisAI

Information disclosure in TYPO3 CMS allows authenticated backend users with file download permissions to retrieve arbitrary files from the server's document root via the Media Module's File Abstraction Layer (FAL) fallback storage. Affected branches span versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2, with no public exploit identified at time of analysis. The flaw exposes sensitive files such as logs, .htpasswd, and configuration material that would normally sit outside the managed file storage.

Technical ContextAI

TYPO3's File Abstraction Layer (FAL) defines a 'fallback storage' (storage ID 0) that resolves paths relative to the web server's document root rather than to a sandboxed fileadmin directory. The FileDownloadController in the filelist system extension (typo3/sysext/filelist/Classes/Controller/FileDownloadController.php) did not exclude fallback-storage file objects when assembling a ZIP for download, so requested items like 'typo3temp/var/log/' or '.htpasswd' could be resolved and packaged. This is a classic CWE-22 (Path Traversal / improper limitation of a pathname to a restricted directory) realized through a missing storage-type check rather than through traditional '../' sequences.

RemediationAI

Upgrade TYPO3 CMS to a fixed branch release beyond the affected ranges - i.e., a release later than 11.5.50, 12.4.45, 13.4.30, or 14.3.2 - per TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-013 (https://typo3.org/security/advisory/typo3-core-sa-2026-013); released patched versions for each branch should be taken from that advisory. The upstream fix (commits ad636b6 and caa6b44 in TYPO3/typo3) makes FileDownloadController::collectFiles skip any file whose storage reports isFallbackStorage(), so administrators verifying a backport should confirm that check is present. As a compensating control until patching, revoke the file-download permission from non-essential backend user groups, restrict backend access (path /typo3/) to trusted IPs via web server ACLs, and audit recent download activity in sys_log; note that revoking download rights will block legitimate editors from retrieving media, so scope the restriction to operators who actually need fallback-storage-adjacent access.

Share

CVE-2026-49742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy