TYPO3 CMS - Broken Access Control in Recycler
CVE-2026-47349

5.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-47349?

Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

https://typo3.org/security/advisory/typo3-core-sa-2026-011

vendor-advisory

https://github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8...

patch

https://github.com/TYPO3/typo3/commit/92f08d8944f1aeccf50...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 19, 2026

Credit

Hyunseo Shin

Elias Häußler

CVE-2026-47349 Data

JSON

Typo3

What is CVE-2026-47349?

Affected Version(s)

References

CVSS V4

Timeline

Credit