Path Traversal Vulnerability in TYPO3 CMS by TYPO3
CVE-2026-49738
2.1LOW
What is CVE-2026-49738?
A vulnerability exists in TYPO3 CMS that allows an attacker to bypass path validation checks within the File Abstraction Layer. Specifically, the path allowance check in the GeneralUtility::isAllowedAbsPath() function improperly allows directory paths that do not conclude in a directory separator. As a result, an administrator user can define file storage locations that point to directories outside the acceptable project root, posing a significant security risk. This issue is present in multiple versions of TYPO3 CMS, necessitating upgrading to the specified patched versions to mitigate potential exposure.
Affected Version(s)
TYPO3 CMS 0 < 10.4.57
TYPO3 CMS 11.0.0 < 11.5.51
TYPO3 CMS 12.0.0 < 12.4.46
