HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2025-59022

CVSS 7.1v4.0pub. 2026-01-13upd. 2026-01-14

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Typo3

    APP
    Typo3
    10.0.0 – 10.4.55 (bez)11.0.0 – 11.5.49 (bez)12.0.0 – 12.4.41 (bez)13.0.0 – 13.4.23 (bez)14.0.0 – 14.0.2 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2011-3583CRITICAL9.8ten sam produkt

It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are...

CVE-2011-4628CRITICAL9.8ten sam produkt

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authenticati...

CVE-2026-6553HIGH7.3ten sam produkt

Changing backend users' passwords via the user settings module results in storing the cleartext password in th...

CVE-2025-59018HIGH7.1ten sam produkt

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0....

CVE-2025-47941HIGH7.2ten sam produkt

TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4...