Skip to main content

TYPO3 CMS EUVD-2026-35394

| CVE-2026-47347 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a GHSA-3p42-w5ch-gg42
Open Redirect
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 11:37 vuln.today
Analysis Generated
Jun 09, 2026 - 11:37 vuln.today

DescriptionCVE.org

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

AnalysisAI

Open redirect exploitation in TYPO3 CMS allows unauthenticated remote attackers to bypass the GeneralUtility::sanitizeLocalUrl locality check by crafting URLs containing backslash sequences, control characters, or slash-pattern variations that the prior implementation failed to reject, redirecting victims to arbitrary external sites for phishing. All major active TYPO3 branches are affected: versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify TYPO3 redirect endpoint accepting URL parameter
Delivery
Craft bypass URL using backslash or control-character pattern
Exploit
Deliver crafted link to target victim
Execution
Victim accesses link; TYPO3 passes malformed URL through sanitizeLocalUrl
Persist
Application issues HTTP redirect to attacker-controlled domain
Impact
Victim lands on phishing page
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the TYPO3 application has an endpoint that accepts a URL value from attacker-influenced input (e.g., a query parameter, form field, or HTTP header); (2) that URL is passed through `GeneralUtility::sanitizeLocalUrl` as a locality validation gate; and (3) the sanitized return value is subsequently used directly in an HTTP redirect or equivalent navigation operation without additional validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 rates this 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:P, indicating network-reachable exploitation requiring no authentication and no special attack preconditions, but gated on passive user interaction (a victim must follow or be redirected via the crafted URL). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a TYPO3 login page or similar feature that accepts a `redirect_url` parameter, crafts a URL such as `\\//attacker.example.com/phishing-page` or `//\\attacker.example.com`, and distributes it via email or a compromised link. When a victim follows the URL, TYPO3's unpatched `sanitizeLocalUrl` passes the value as a valid local URL, and the application issues an HTTP redirect that the victim's browser resolves to the attacker-controlled external site. …
Remediation Upgrade TYPO3 CMS to a patched release per the vendor advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-009. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM
6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
CVE-2026-50089 MEDIUM
6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
CVE-2026-10837 MEDIUM
5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM
5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2025-32748 MEDIUM
4.3 Jun 17

Host Header Injection in Dell PowerFlex Rack RCM 3.7 enables unauthenticated remote attackers to trigger open redirects

Share

EUVD-2026-35394 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy