File Metadata Access Vulnerability in TYPO3 CMS by TYPO3
CVE-2026-47352

5.3MEDIUM

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-47352?

An access control vulnerability exists in TYPO3 CMS that allows authenticated backend users to retrieve protected file metadata via multiple Backend API routes without sufficient permission verification. This flaw permits users to access files that they should not be able to see, extending beyond their allocated storage areas. This issue predominantly affects several versions of TYPO3 CMS, necessitating immediate attention and action to secure user data.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Phong Lan
Oliver Hader
.