GHSA-f34x-rx2w-7pm3Medium
TYPO3 CMS has Broken Access Control in the Recycler Module
🔗 CVE IDs covered (1)
📋 Description
Problem
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify.
Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
TYPO3 CMS thanks Hyunseo Shin for reporting this issue, and TYPO3 security team member Elias Häußler for fixing it.
Resources
🎯 Affected products10
- composer/typo3/cms-core:< 10.4.57
- composer/typo3/cms-core:>= 11.0.0, < 11.5.51
- composer/typo3/cms-core:>= 12.0.0, < 12.4.46
- composer/typo3/cms-core:>= 13.0.0, < 13.4.31
- composer/typo3/cms-core:>= 14.0.0, < 14.3.3
- composer/typo3/cms-recycler:< 10.4.57
- composer/typo3/cms-recycler:>= 11.0.0, < 11.5.51
- composer/typo3/cms-recycler:>= 12.0.0, < 12.4.46
- composer/typo3/cms-recycler:>= 13.0.0, < 13.4.31
- composer/typo3/cms-recycler:>= 14.0.0, < 14.3.3
🔗 References (7)
- https://github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3
- https://nvd.nist.gov/vuln/detail/CVE-2026-47349
- https://github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8
- https://github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47349.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2026-011
- https://github.com/advisories/GHSA-f34x-rx2w-7pm3