CVE-2026-47351
TYPO3 CMS: Broken Access Control in Media Module
Description
### Problem Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. ### Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. ### Credits TYPO3 CMS thanks Vincent Yang for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it. ### Resources * [TYPO3-CORE-SA-2026-014](https://typo3.org/security/advisory/typo3-core-sa-2026-014)
How to fix CVE-2026-47351
To remediate CVE-2026-47351, upgrade the affected package to a fixed version below.
- —upgrade to 10.4.57 or later
- —upgrade to 10.4.57 or later
Is CVE-2026-47351 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47351.
Affected packages (2)
- from 0, < 10.4.57
- from 0, < 10.4.57
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |