Field-Level Access Bypass in TYPO3 CMS by TYPO3 Association
CVE-2025-59020

5.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 13 January 2026

What is CVE-2025-59020?

This vulnerability allows attackers to exploit the defVals parameter in TYPO3 CMS, potentially bypassing field-level access checks during record creation in the backend. This could enable unauthorized insertion of arbitrary data into restricted exclude fields within a database table, so long as the user retains write permissions for a limited selection of fields. As a result, sensitive data may be compromised or corrupted, affecting the integrity and confidentiality of the information stored. Systems running versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, and 14.0.0-14.0.1 are impacted by this issue.

Affected Version(s)

TYPO3 CMS 10.0.0 < 10.4.55

TYPO3 CMS 11.0.0 < 11.5.49

TYPO3 CMS 12.0.0 < 12.4.41

References

https://typo3.org/security/advisory/typo3-core-sa-2026-001

vendor-advisory

https://github.com/TYPO3/typo3/commit/ac3f792bd5ab7c58153...

patch

https://github.com/TYPO3/typo3/commit/fb98378a8fd30dd50d8...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Sep 7, 2025

Credit

Daniel Windloff

Benjamin Franzke

JSON

Typo3

What is CVE-2025-59020?

Affected Version(s)

References

CVSS V4

Timeline

Credit