Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
AnalysisAI
Information disclosure in TYPO3 CMS allows authenticated backend users with file download permissions to retrieve arbitrary files from the server's document root via the Media Module's File Abstraction Layer (FAL) fallback storage. Affected branches span versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2, with no public exploit identified at time of analysis. The flaw exposes sensitive files such as logs, .htpasswd, and configuration material that would normally sit outside the managed file storage.
Technical ContextAI
TYPO3's File Abstraction Layer (FAL) defines a 'fallback storage' (storage ID 0) that resolves paths relative to the web server's document root rather than to a sandboxed fileadmin directory. The FileDownloadController in the filelist system extension (typo3/sysext/filelist/Classes/Controller/FileDownloadController.php) did not exclude fallback-storage file objects when assembling a ZIP for download, so requested items like 'typo3temp/var/log/' or '.htpasswd' could be resolved and packaged. This is a classic CWE-22 (Path Traversal / improper limitation of a pathname to a restricted directory) realized through a missing storage-type check rather than through traditional '../' sequences.
RemediationAI
Upgrade TYPO3 CMS to a fixed branch release beyond the affected ranges - i.e., a release later than 11.5.50, 12.4.45, 13.4.30, or 14.3.2 - per TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-013 (https://typo3.org/security/advisory/typo3-core-sa-2026-013); released patched versions for each branch should be taken from that advisory. The upstream fix (commits ad636b6 and caa6b44 in TYPO3/typo3) makes FileDownloadController::collectFiles skip any file whose storage reports isFallbackStorage(), so administrators verifying a backport should confirm that check is present. As a compensating control until patching, revoke the file-download permission from non-essential backend user groups, restrict backend access (path /typo3/) to trusted IPs via web server ACLs, and audit recent download activity in sys_log; note that revoking download rights will block legitimate editors from retrieving media, so scope the restriction to operators who actually need fallback-storage-adjacent access.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35403
GHSA-chm7-4vch-h8vr