CVE-2025-59022

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 10.0.0 through 10.4.54 TYPO3 CMS versions 11.0.0 through 11.5.48 TYPO3 CMS versions 12.0.0 through 12.4.40 TYPO3 CMS versions 13.0.0 through 13.4.22 TYPO3 CMS versions 14.0.0 through 14.0.1

Description Backend users with access to the recycler module could delete arbitrary data from any database table defined in the TCA, irrespective of their permissions for that specific table. This allowed attackers to purge and destroy critical site data, potentially rendering the website unavailable. The issue concerns the TYPO3 CMS recycler module and its interaction with the TCA (TypoScript Configuration Array).

Recommendations TYPO3 CMS versions 10.0.0 through 10.4.54 should be updated to a newer, fixed version. TYPO3 CMS versions 11.0.0 through 11.5.48 should be updated to a newer, fixed version. TYPO3 CMS versions 12.0.0 through 12.4.40 should be updated to a newer, fixed version. TYPO3 CMS versions 13.0.0 through 13.4.22 should be updated to a newer, fixed version. TYPO3 CMS versions 14.0.0 through 14.0.1 should be updated to a newer, fixed version.