CSRF Vulnerability in TYPO3 Webhooks Affecting Versions 12.x and 13.x
CVE-2025-47936

3.3LOW

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 20 May 2025

What is CVE-2025-47936?

TYPO3, a widely-used PHP-based content management system, has reported a security issue related to its webhook functionality. Versions on the 12.x branch before 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS are susceptible to Cross-Site Request Forgery (CSRF) attacks. This vulnerability does not originate from TYPO3 itself but can be leveraged by attackers to gain unauthorized access to internal resources, such as localhost or other local services. An attacker requires an administrator-level backend user account to exploit this issue, making it essential for users to promptly update to the recommended TYPO3 versions to secure their systems.

Affected Version(s)

typo3 >= 12.0.0, < 12.4.31 < 12.0.0, 12.4.31

typo3 >= 13.0.0, < 13.4.12 < 13.0.0, 13.4.12

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-p...

x_refsource_CONFIRM

https://typo3.org/security/advisory/typo3-core-sa-2025-012

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2025
Vulnerability Reserved
May 14, 2025

Typo3

What is CVE-2025-47936?

Affected Version(s)

References

CVSS V3.1

Timeline