Skip to main content

TYPO3 CMS EUVDEUVD-2026-35400

| CVE-2026-49738 LOW
Path Traversal (CWE-22)
2026-06-09 f4fb688c-4412-4426-b4b8-421ecf27b14a GHSA-jf56-v8jc-jcc5
2.1
CVSS 4.0 · Vendor: f4fb688c-4412-4426-b4b8-421ecf27b14a

Severity by source

Vendor (f4fb688c-4412-4426-b4b8-421ecf27b14a) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (f4fb688c-4412-4426-b4b8-421ecf27b14a) · only source for this CVE.

CVSS VectorVendor: f4fb688c-4412-4426-b4b8-421ecf27b14a

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 11:40 vuln.today
Analysis Generated
Jun 09, 2026 - 11:40 vuln.today

DescriptionCVE.org

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

AnalysisAI

Path traversal in TYPO3 CMS's GeneralUtility::isAllowedAbsPath() allows authenticated administrator-level users to define File Abstraction Layer (FAL) storage roots that resolve to directories outside the project root. Affected versions span all active TYPO3 branches: before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects the severe privilege and prerequisite constraints that substantially limit real-world impact.

Technical ContextAI

The root cause (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) lies in a boundary-unaware string prefix check within GeneralUtility::isAllowedAbsPath() in typo3/sysext/core/Classes/Utility/GeneralUtility.php. The function called str_starts_with($path, Environment::getProjectPath()) without appending a directory separator, meaning a path like /var/www/html-other/secret.yaml would pass the check when the project root was /var/www/html - because the string literally starts with the prefix. The fix, visible in commit 150a983a5d687cedcfc33bbe9c335d9a13fd05e5, appends '/' to both getProjectPath() and getPublicPath() before the prefix comparison, and also sanitizes trailing separators on the input path via PathUtility::sanitizeTrailingSeparator(). The vulnerability is exercised through the File Abstraction Layer (FAL), TYPO3's abstraction for managing file storages, when an administrator creates a new storage definition pointing to an out-of-bounds directory.

RemediationAI

Upgrade to a patched release: 10.4.57 or later for the 10.x branch; 11.5.52 or later for the 11.x branch; 12.4.47 or later for the 12.x branch; 13.4.32 or later for the 13.x branch; and 14.3.4 or later for the 14.x branch (note: exact fix versions for branches 11-14 are inferred from the affected ranges in the description - consult the official advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-016 to confirm the precise release tags). The upstream fix is confirmed present in two GitHub commits: 150a983a5d687cedcfc33bbe9c335d9a13fd05e5 and 44c2fa9807944136218a0842e3051c0a379a002d. If immediate patching is not feasible, a compensating control is to restrict which backend user accounts hold the administrator role and specifically to audit or revoke access to FAL storage configuration for any accounts that do not operationally require it; this removes the attack surface without affecting normal site operation. There are no known side effects to the code-level fix itself.

Share

EUVD-2026-35400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy