Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN611 _____________________________________________________________________ DATE : 10/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 versions prior to 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS. ===================================================================== https://lists.typo3.org/pipermail/typo3-announce/2026/000618.html https://typo3.org/security/advisory/typo3-core-sa-2026-009 https://typo3.org/security/advisory/typo3-core-sa-2026-008 https://typo3.org/security/advisory/typo3-core-sa-2026-007 https://typo3.org/security/advisory/typo3-core-sa-2026-006 https://typo3.org/security/advisory/typo3-core-sa-2026-019 https://typo3.org/security/advisory/typo3-core-sa-2026-018 https://typo3.org/security/advisory/typo3-core-sa-2026-017 https://typo3.org/security/advisory/typo3-core-sa-2026-016 https://typo3.org/security/advisory/typo3-core-sa-2026-015 https://typo3.org/security/advisory/typo3-core-sa-2026-014 https://typo3.org/security/advisory/typo3-core-sa-2026-013 https://typo3.org/security/advisory/typo3-core-sa-2026-012 _____________________________________________________________________ Dear TYPO3 Community, today we've released TYPO3 14.3.3 LTS and 13.4.31 LTS, which are ready for you to download. All versions are security releases and contain important security fixes - read the corresponding security advisories here: https://typo3.org/security/advisory/typo3-core-sa-2026-006 https://typo3.org/security/advisory/typo3-core-sa-2026-007 https://typo3.org/security/advisory/typo3-core-sa-2026-008 https://typo3.org/security/advisory/typo3-core-sa-2026-009 https://typo3.org/security/advisory/typo3-core-sa-2026-010 https://typo3.org/security/advisory/typo3-core-sa-2026-011 https://typo3.org/security/advisory/typo3-core-sa-2026-012 https://typo3.org/security/advisory/typo3-core-sa-2026-013 https://typo3.org/security/advisory/typo3-core-sa-2026-014 https://typo3.org/security/advisory/typo3-core-sa-2026-015 https://typo3.org/security/advisory/typo3-core-sa-2026-016 https://typo3.org/security/advisory/typo3-core-sa-2026-017 https://typo3.org/security/advisory/typo3-core-sa-2026-018 https://typo3.org/security/advisory/typo3-core-sa-2026-019 For details about the releases, please see: https://news.typo3.com/article/typo3-1433-and-13431-security-releases-published The packages can be downloaded here: https://get.typo3.org/ SHA256 checksums: 39c5ababa18f0a4bce748a9dc7a3864a1c21e3fc5d00c059a7f797cfd3b8a698 typo3_src-13.4.31.tar.gz 9291bce85d58199b51eb3b509b810b0d04dab4aa19bd2fce629641b37668464b typo3_src-13.4.31.zip 8b41d50d7aec1866ca4e07dab58f55e8b5c835b268a17d80c82f8ce7f23ea6ab typo3_src-14.3.3.tar.gz 2b89d857c1e46c7bd2c281750cbfb54ee23bbe4ab28a6191d7252b078096460c typo3_src-14.3.3.zip Further details on the signing and hashing process of TYPO3 releases: https://docs.typo3.org/permalink/t3coreapi:release-integrity Best regards Oliver Hader -- Oliver Hader TYPO3 .... inspiring people to share! Get involved: https://typo3.community _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to open redirect. Component Type: TYPO3 CMS Subcomponent: Core Utilities (ext:core) Release Date: June 9, 2026 Vulnerability Type: Open Redirect Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N References: CVE-2026-47347, CWE-601 Problem Description Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Alexandre Romao for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-008: Broken Access Control in Form Framework Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: High Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N References: CVE-2026-47346, CWE-178, CWE-862 Problem Description Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Alexander Künzl for reporting this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: File Abstraction Layer (ext:core) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: High Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N References: CVE-2026-47343, CWE-862 Problem Description Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Arne Uplegger for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-006: By-passing Cross-Site Scripting Protection in HTML Sanitizer Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting. Component Type: TYPO3 CMS Subcomponent: HTML Sanitizer (based on typo3/html-sanitizer) Release Date: June 9, 2026 Vulnerability Type: Cross-Site Scripting Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N References: CVE-2026-47344, CVE-2026-47345, CWE-79 Problem Description The typo3/html-sanitizer package allows bypassing the cross-site scripting prevention mechanism: CVE-2026-47344: When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., ) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. CVE-2026-47345: Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to IPC Labs and Doyensec in collaboration with Claude and Anthropic Research for reporting these issues, and to TYPO3 core & security team members Benjamin Franzke and Oliver Hader for fixing them. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-019: Broken Access Control in Form Framework Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: High Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N References: CVE-2026-11607, CWE-862 Problem Description Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to “Ethan” for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-018: Insecure Deserialization in Core API Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Core API (ext:core) Release Date: June 9, 2026 Vulnerability Type: Insecure Deserialization Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Medium Suggested CVSS: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H References: CVE-2026-49740, CWE-502 Problem Description TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to “z3rco”, Chowdhury Faizal Ahammed, Rick Larabee, Vitaly Simonovich, Nozomu Sasaki, Mert Akdag, “tikket”, Shafi Almutairi for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-017: Privilege Escalation & SQL Injection in Form Framework Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: June 9, 2026 Vulnerability Type: Privilege Escalation & SQL Injection Affected Versions: 14.0.0-14.3.2 Severity: High Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N References: CVE-2026-49741, CWE-89, CWE-862 Problem Description Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. Solution Update to TYPO3 version 14.3.3 LTS that fixes the problem described. Credits Thanks to Selçuk Güney for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-016: Broken Access Control in File Abstraction Layer Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Core API (ext:core) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Low Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N References: CVE-2026-49738, CWE-22 Problem Description The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Wolfgang Klinger for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-015: Broken Access Control in Backend API Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Backend API (ext:backend) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2026-47352, CWE-862 Problem Description Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Phong Lan for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-014: Broken Access Control in Clipboard Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Clipboard (ext:backend) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 10.0.0-10.4.56, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2026-47351, CWE-200, CWE-862 Problem Description Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Vincent Yang for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: Media Module (ext:filelist) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: High Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N References: CVE-2026-49742, CWE-22, CWE-200 Problem Description Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. Solution Update to TYPO3 versions 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Hyunseo Shin for reporting this issue, and to TYPO3 security team member Torben Hansen for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ Tue. 9th June, 2026 TYPO3-CORE-SA-2026-012: Broken Access Control in DataHandler Categories: TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to broken access control. Component Type: TYPO3 CMS Subcomponent: DataHandler (ext:core) Release Date: June 9, 2026 Vulnerability Type: Broken Access Control Affected Versions: 13.0.0-13.4.30, 14.0.0-14.3.2 Severity: Medium Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N References: CVE-2026-47350, CWE-862 Problem Description Backend users were able to move records to a different page without having edit permissions on the source page. Solution Update to TYPO3 versions 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits Thanks to Hyunseo Shin for reporting this issue, and to TYPO3 security team member Torben Hansen for fixing it. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================