Unauthorized Record Restoration Vulnerability in TYPO3 CMS
CVE-2026-47349

5.3MEDIUM

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-47349?

A vulnerability in TYPO3 CMS allows backend users with access to the Recycler module to restore soft-deleted records on pages or tables that they do not have authorization to modify. This security oversight could potentially lead to unauthorized data exposure or manipulation. Affected versions include earlier iterations of TYPO3 CMS, making it critical for users to review and update to the latest versions to mitigate risks. For more information, you can refer to the TYPO3 security advisory.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hyunseo Shin
Elias Häußler
.