CVE-2026-47351 | THREATINT

Description

Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

10.4.0 (semver) before 13.4.31

affected

14.0.0 (semver) before 14.3.3

affected

Credits

Vincent Yang reporter

Elias Häußler remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-014 vendor-advisory

github.com/...ommit/932fbb9fcea25094e8bcc0f0ec5aab56b1d92451 (Git commit of main branch) patch

github.com/...ommit/2740707563343d78184c0b7c6303a7484553d7f3 (Git commit of 13.4 branch) patch

cve.org (CVE-2026-47351)

nvd.nist.gov (CVE-2026-47351)

Download JSON

help @ threatint.eu