PT-2026-2474 · Typo3 · Typo3
Benjamin Franzke
+1
·
Published
2026-01-13
·
Updated
2026-01-13
·
CVE-2025-59020
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
TYPO3 versions 10.0.0 through 10.4.54
TYPO3 versions 11.0.0 through 11.5.48
TYPO3 versions 12.0.0 through 12.4.40
TYPO3 versions 13.0.0 through 13.4.22
TYPO3 versions 14.0.0 through 14.0.1
Description
An issue exists where manipulation of the
defVals parameter can bypass field-level access checks during record creation within the TYPO3 backend. Successful exploitation allows attackers to insert arbitrary data into restricted fields of a database table, provided the user already possesses write permissions for a limited set of fields.Recommendations
TYPO3 versions 10.0.0 through 10.4.54 should be updated.
TYPO3 versions 11.0.0 through 11.5.48 should be updated.
TYPO3 versions 12.0.0 through 12.4.40 should be updated.
TYPO3 versions 13.0.0 through 13.4.22 should be updated.
TYPO3 versions 14.0.0 through 14.0.1 should be updated.
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3