TYPO3 CMS - Broken Access Control in DataHandler
CVE-2026-47350

5.3MEDIUM

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-47350?

Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.

Affected Version(s)

TYPO3 CMS 13.0.0 < 13.4.31

TYPO3 CMS 14.0.0 < 14.3.3

References

https://typo3.org/security/advisory/typo3-core-sa-2026-012

vendor-advisory

https://github.com/TYPO3/typo3/commit/c9898d2e67608eda78f...

patch

https://github.com/TYPO3/typo3/commit/195356996a60e40aeb2...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 19, 2026

Credit

Hyunseo Shin

Torben Hansen

CVE-2026-47350 Data

JSON

Typo3

What is CVE-2026-47350?

Affected Version(s)

References

CVSS V4

Timeline

Credit