Data Deletion Vulnerability in TYPO3 CMS by TYPO3
CVE-2025-59022

7.1HIGH

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 13 January 2026

What is CVE-2025-59022?

TYPO3 CMS is affected by a serious vulnerability that allows backend users with access to the recycler module to delete arbitrary data from any defined database table, irrespective of their permissions on those tables. This flaw can lead to the unauthorized purge of critical site data, causing potential downtime and unavailability of the entire website. This issue affects multiple versions of TYPO3 CMS, necessitating immediate attention and remediation by administrators to safeguard their data integrity and security.

Affected Version(s)

TYPO3 CMS 10.0.0 < 10.4.55

TYPO3 CMS 11.0.0 < 11.5.49

TYPO3 CMS 12.0.0 < 12.4.41

References

https://typo3.org/security/advisory/typo3-core-sa-2026-003

vendor-advisory

https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d...

patch

https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c4...

patch

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Sep 7, 2025

Credit

Sven Jürgens

Daniel Windloff

Elias Häußler

JSON

Typo3

What is CVE-2025-59022?

Affected Version(s)

References

CVSS V4

Timeline

Credit