File Download Vulnerability in TYPO3 CMS Affecting Multiple Versions
CVE-2026-49742

7.1HIGH

Key Information:

Vendor

Typo3

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-49742?

A security vulnerability in TYPO3 CMS allows backend users with file download permissions to access sensitive files stored in the fallback storage of the file abstraction layer through the Media Module. The fallback storage's reliance on paths relative to the server's document root poses a significant risk, as it could lead to the exposure of sensitive information, including log files. This issue is present in several versions of TYPO3 CMS, making it crucial for users to assess their systems and apply necessary patches.

Affected Version(s)

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

TYPO3 CMS 13.0.0 < 13.4.31

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hyunseo Shin
Torben Hansen
.