CVE-2026-47350 | THREATINT

Description

Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

13.0.0 (semver) before 13.4.31

affected

14.0.0 (semver) before 14.3.3

affected

Credits

Hyunseo Shin reporter

Torben Hansen remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-012 vendor-advisory

github.com/...ommit/c9898d2e67608eda78f8bd1f06ee9cf05a872a56 (Git commit of main branch) patch

github.com/...ommit/195356996a60e40aeb2cd3e45a5f5c8940d5e116 (Git commit of 13.4 branch) patch

cve.org (CVE-2026-47350)

nvd.nist.gov (CVE-2026-47350)

Download JSON