Skip to main content

TYPO3 CMS EUVDEUVD-2026-35398

| CVE-2026-47351 MEDIUM
Information Exposure (CWE-200)
2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a GHSA-q93m-25xv-94hh
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 11:39 vuln.today
Analysis Generated
Jun 09, 2026 - 11:39 vuln.today

DescriptionCVE.org

Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.

AnalysisAI

TYPO3 CMS clipboard functionality exposes unauthorized records and files to authenticated backend users due to missing read permission enforcement. Affected versions span 10.4.0 through 13.4.30 and 14.0.0 through 14.3.2. A low-privileged backend user can insert arbitrary database records or file system objects into their clipboard, causing the application to resolve and expose metadata about resources they are not authorized to view - effectively bypassing access controls on content visibility. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in TYPO3's backend clipboard subsystem, specifically in the cleanCurrent() method of typo3/sysext/backend/Classes/Clipboard/Clipboard.php. The clipboard is a backend UI feature allowing editors to copy/paste or move records and files across page trees. Before the fix, when cleaning stale clipboard entries, the code only verified object existence - it called BackendUtility::getRecord() for database records and resourceFactory->retrieveFileOrFolderObject() for files - but never checked whether the requesting backend user held read permissions on those objects. CWE-200 (Exposure of Sensitive Information to Unauthorized Actor) is the root cause class: the system's access control model was not uniformly applied at the clipboard API layer. The fix, visible in commit 2740707563343d78184c0b7c6303a7484553d7f3, adds explicit permission gate checks: for files it now calls $fileOrFolder->checkActionPermission('read'), and for database records it validates tables_select table permission and PAGE_SHOW page-level permission via doesUserHaveAccess(). Affected CPEs cover TYPO3 Core versions 10.4.x, 11.x, 12.x, 13.x up to 13.4.30, and 14.0.x through 14.3.2.

RemediationAI

The primary remediation is to upgrade TYPO3 CMS to a patched release. Upstream fixes are confirmed via commits 2740707563343d78184c0b7c6303a7484553d7f3 and 932fbb9fcea25094e8bcc0f0ec5aab56b1d92451 on the TYPO3 GitHub repository; consult the vendor advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-014 to identify the exact patched release versions for the 13.x and 14.x branches, as specific fix version numbers are not independently confirmed in the available source data. If immediate patching is not possible, a compensating control is to audit and restrict backend user accounts: remove backend access from any users who should not be trusted to enumerate record or file metadata. Additionally, reviewing and tightening TYPO3 backend group permissions to enforce least-privilege on tables_select and page-tree access reduces the set of records/files a malicious insider could enumerate. These workarounds reduce exposure but do not eliminate the underlying permission bypass - patching remains the definitive fix.

Share

EUVD-2026-35398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy