TYPO3 CMS - Open Redirect in Core Utilities
CVE-2026-47347

5.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-47347?

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

https://typo3.org/security/advisory/typo3-core-sa-2026-009

vendor-advisory

https://github.com/TYPO3/typo3/commit/3ffc0835012c6199db0...

patch

https://github.com/TYPO3/typo3/commit/22c2dd5398ebc4cb7aa...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 19, 2026

Credit

Alexandre Romao

Benjamin Franzke

CVE-2026-47347 Data

JSON

Typo3

What is CVE-2026-47347?

Affected Version(s)

References

CVSS V4

Timeline

Credit