Path Traversal Vulnerability in TYPO3 CMS by TYPO3
CVE-2026-49738

2.1LOW

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-49738?

A vulnerability exists in TYPO3 CMS that allows an attacker to bypass path validation checks within the File Abstraction Layer. Specifically, the path allowance check in the GeneralUtility::isAllowedAbsPath() function improperly allows directory paths that do not conclude in a directory separator. As a result, an administrator user can define file storage locations that point to directories outside the acceptable project root, posing a significant security risk. This issue is present in multiple versions of TYPO3 CMS, necessitating upgrading to the specified patched versions to mitigate potential exposure.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wolfgang Klinger
Oliver Hader
.