CVE-2025-59020
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TYPO3 | TYPO3 CMS | 10.0.0 < 10.4.55 | affected |
| TYPO3 | TYPO3 CMS | 11.0.0 < 11.5.49 | affected |
| TYPO3 | TYPO3 CMS | 12.0.0 < 12.4.41 | affected |
| TYPO3 | TYPO3 CMS | 13.0.0 < 13.4.23 | affected |
| TYPO3 | TYPO3 CMS | 14.0.0 < 14.0.2 | affected |
Weaknesses
- CWE-863: CWE-863 Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://typo3.org/security/advisory/typo3-core-sa-2026-001
- https://github.com/TYPO3/typo3/commit/ac3f792bd5ab7c58153fc1075cb9e001c9cebe3b
- https://github.com/TYPO3/typo3/commit/fb98378a8fd30dd50d89a3d1a420780819f38232
- https://github.com/TYPO3/typo3/commit/cd11a19958d823d12d028f9345b41739c7e70118
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.