pkg:Packagist/typo3/cms-core

85 total CVEsHIGH19MEDIUM49LOW6

✅ Check your installed version

All known vulnerabilities

  • HIGH8.8CVE-2023-24814TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering
    >= 12.0.0, < 12.2.0
  • HIGH8.8CVE-2019-12747TYPO3 Vulnerable to Insecure Deserialization
    >= 8.0.0, < 8.7.27
  • HIGH8.8CVE-2019-19849TYPO3 Insecure Deserialization in Query Generator & Query View
    >= 10.0.0, < 10.2.1
  • HIGH8.8CVE-2021-41113Cross-Site-Request-Forgery in Backend
    >= 11.2.0, < 11.5.0
  • HIGH8.8CVE-2020-15098Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
    >= 9.0.0, < 9.5.20
  • HIGH8.8CVE-2020-11067Insecure Deserialization in Backend User Settings in TYPO3 CMS
    >= 9.0.0, < 9.5.17
  • HIGH8.7CVE-2020-11066Class destructors causing side-effects when being unserialized in TYPO3 CMS
    >= 9.0.0, < 9.5.17
  • HIGH8.6CVE-2021-21355Unrestricted File Upload in Form Framework
    >= 10.0.0, < 10.4.14
  • HIGH8.3CVE-2021-21357Broken Access Control in Form Framework
    >= 10.0.0, < 10.4.14
  • HIGH8.1CVE-2020-26228Cleartext storage of session identifier
    >= 9.0.0, < 9.5.23
  • HIGH8.1CVE-2020-15099Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS
    >= 9.0.0, < 9.5.20
  • HIGH8.0CVE-2020-11069Backend Same-Site Request Forgery in TYPO3 CMS
    >= 9.0.0, < 9.5.17
  • HIGH7.5CVE-2022-23503TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework
    >= 8.0.0, < 8.7.49
  • HIGH7.5CVE-2019-11832TYPO3 Image Processing susceptible to Code Execution
    >= 8.0.0, < 8.7.25
  • HIGH7.4CVE-2013-1842typo3-src - several
    >= 4.5.0, < 4.5.24
  • HIGH7.2CVE-2025-47940TYPO3 Allows Privilege Escalation to System Maintainer
    >= 10.4.0, < 10.4.50
  • HIGH7.2CVE-2024-22188TYPO3 Install Tool vulnerable to Code Execution
    >= 8.0.0, < 8.7.57
  • HIGH7.1CVE-2024-25121TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler
    >= 8.0.0, < 8.7.57
  • HIGH7.1CVE-2019-10912Deserialization of untrusted data in Symfony
    >= 9.0.0, < 9.5.8
  • MEDIUM6.8CVE-2019-19848TYPO3 Directory Traversal on ZIP extraction
    >= 10.0.0, < 10.2.2
  • MEDIUM6.5CVE-2025-59015TYPO3 CMS uses insufficient entropy when generating passwords
    >= 12.0.0, < 12.4.37
  • MEDIUM6.4CVE-2021-32669Cross-Site Scripting in Backend Grid View
    >= 8.0.0, < 8.7.41
  • MEDIUM6.4CVE-2021-32668Cross-Site Scripting in Query Generator & Query View
    >= 8.0.0, < 8.7.41
  • MEDIUM6.4CVE-2021-32667Cross-Site Scripting in Page Preview
    >= 9.0.0, < 9.5.28
  • MEDIUM6.1CVE-2022-36020TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection
    >= 10.0.0, < 10.4.32
  • MEDIUM6.1CVE-2019-12748Typo3 Cross-Site Scripting in Link Handling
    >= 8.0.0, < 8.7.27
  • MEDIUM6.1CVE-2021-32768Cross-Site Scripting via Rich-Text Content
    >= 7.0.0, < 7.6.53
  • MEDIUM6.1CVE-2021-21338Open Redirection in Login Handling
    >= 6.2.0, < 6.2.57
  • MEDIUM6.1CVE-2020-26227Cross-Site Scripting in Fluid view helpers
    >= 9.0.0, < 9.5.23
  • MEDIUM6.1CVE-2018-17960Ckeditor XSS Vulnerability
    >= 8.0.0, < 8.7.21
  • MEDIUM6.1CVE-2018-14041Bootstrap Cross-site Scripting vulnerability
    >= 8.0.0, < 8.7.23
  • MEDIUM6.0CVE-2022-31050Insufficient Session Expiration in TYPO3's Admin Tool
    >= 9.0.0, < 9.5.35
  • MEDIUM5.9CVE-2022-23501TYPO3 CMS vulnerable to Weak Authentication in Frontend Login
    from 0, < 8.7.49
  • MEDIUM5.9CVE-2022-23500TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
    >= 9.0.0, < 9.5.38
  • MEDIUM5.9CVE-2022-36104TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
    >= 11.4.0, < 11.5.16
  • MEDIUM5.9CVE-2021-21359Denial of Service in Page Error Handling
    >= 10.0.0, < 10.4.14
  • MEDIUM5.9CVE-2021-21339Cleartext storage of session identifier
    >= 6.2.0, < 6.2.57
  • MEDIUM5.7CVE-2022-23504TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration
    >= 9.0.0, < 9.5.38
  • MEDIUM5.5CVE-2023-30451Path Traversal in TYPO3 File Abstraction Layer Storages
    >= 8.0.0, < 8.7.57
  • MEDIUM5.5CVE-2019-19850TYPO3 SQL Injection in low-level Query Generator
    >= 8.0, < 8.7.30
  • MEDIUM5.4CVE-2025-47939TYPO3 Allows Unrestricted File Upload in File Abstraction Layer
    >= 9.0.0, < 9.5.51
  • MEDIUM5.4CVE-2024-34357TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController
    >= 9.0.0, < 9.5.48
  • MEDIUM5.4CVE-2024-34356TYPO3 vulnerable to Cross-Site Scripting in the Form Manager Module
    >= 9.0.0, < 9.5.48
  • MEDIUM5.4CVE-2022-23502TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset
    >= 10.0.0, < 10.4.33
  • MEDIUM5.4CVE-2022-36106TYPO3 CMS missing check for expiration time of password reset token for backend users
    >= 10.4.0, < 10.4.32
  • MEDIUM5.4CVE-2022-36107TYPO3 CMS Stored Cross-Site Scripting via FileDumpController
    >= 7.0.0, < 7.6.58
  • MEDIUM5.4CVE-2022-36108TYPO3 CMS vulnerable to Cross-Site Scripting in <f:asset.css> view helper
    >= 10.3.0, < 10.4.32
  • MEDIUM5.4CVE-2022-31049Cross-Site Scripting in TYPO3's Frontend Login Mailer
    >= 9.0.0, < 9.5.35
  • MEDIUM5.4CVE-2022-31048Cross-Site Scripting in TYPO3's Form Framework
    >= 8.0.0, < 8.7.47
  • MEDIUM5.4CVE-2021-21370Cross-Site Scripting in Content Preview (CType menu)
    >= 10.0.0, < 10.4.14
  • MEDIUM5.4CVE-2021-21358Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in typo3/cms-form
    >= 10.0.0, < 10.4.14
  • MEDIUM5.4CVE-2021-21340Cross-Site Scripting in Content Preview
    >= 10.0.0, < 10.4.14
  • MEDIUM5.4CVE-2020-11065Cross-Site Scripting in TYPO3 CMS Link Handling
    >= 10.0.0, < 10.4.2
  • MEDIUM5.4CVE-2020-11064Cross-Site Scripting in TYPO3 CMS Form Engine
    >= 9.0.0, < 9.5.17
  • MEDIUM5.3CVE-2024-34358TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
    >= 9.0.0, < 9.5.48
  • MEDIUM5.3CVE-2022-36105TYPO3 CMS vulnerable to User Enumeration via Response Timing
    >= 7.0.0, < 7.6.58
  • MEDIUM5.3CVE-2022-31047Insertion of Sensitive Information into Log File in typo3/cms-core
    >= 7.0.0, < 7.6.57
  • MEDIUM5.3CVE-2013-1843TYPO3 Open redirect vulnerability in the Access tracking mechanism
    >= 4.5.0, < 4.5.24
  • MEDIUM5.3CVE-2010-3673TYPO3 is vulnerable to Information Disclosure in the HTML mailing API
    from 0, < 4.2.13
  • MEDIUM5.3CVE-2021-32767Information Disclosure in User Authentication
    >= 7.0.0, < 7.6.52
  • MEDIUM4.9CVE-2024-25119TYPO3 Install Tool vulnerable to Information Disclosure of Encryption Key
    >= 8.0.0, < 8.7.57
  • MEDIUM4.8CVE-2024-55892TYPO3 Potential Open Redirect via Parsing Differences
    >= 9.0.0, < 9.5.49
  • MEDIUM4.8CVE-2021-41114HTTP Host Header Injection
    >= 11.0.0, < 11.5.0
  • MEDIUM4.7CVE-2020-15241Cross-Site Scripting in ternary conditional operator
    >= 8.0.0, < 8.7.25
  • MEDIUM4.3CVE-2024-25120TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme
    >= 8.0.0, < 8.7.57
  • MEDIUM4.3CVE-2024-25118TYPO3 Backend Forms vulnerable to Information Disclosure of Hashed Passwords
    >= 8.0.0, < 8.7.57
  • MEDIUM4.3CVE-2022-31046Information Disclosure via Export Module
    >= 7.0.0, < 7.6.57
  • MEDIUM4.2CVE-2023-47127TYPO3 vulnerable to Weak Authentication in Session Handling
    >= 8.0.0, < 8.7.55
  • LOW3.8CVE-2025-47938TYPO3 Unverified Password Change for Backend Users
    >= 9.0.0, < 9.5.51
  • LOW3.7CVE-2025-47937TYPO3 Allows Information Disclosure via DBAL Restriction Handling
    >= 9.0.0, < 9.5.51
  • LOW3.7CVE-2023-38499Information Disclosure due to Out-of-scope Site Resolution
    >= 9.4.0, < 9.5.42
  • LOW3.7CVE-2020-26229XML External Entity in Dashboard Widget
    >= 10.0.0, < 10.4.10
  • LOW3.7CVE-2020-11063Information Disclosure in Password Reset
    >= 10.0.0, < 10.4.2
  • LOW3.5CVE-2024-34355TYPO3 vulnerable to an HTML Injection in the History Module
    >= 13.0.0, < 13.1.1
  • CVE-2026-0859TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool
    >= 14.0.0, < 14.0.2
  • CVE-2025-59016TYPO3 CMS exposes sensitive information in an error message
    >= 9.0.0, < 12.4.37
  • CVE-2025-59013TYPO3 CMS has an open‑redirect vulnerability
    >= 9.0.0, < 12.4.37
  • CVE-2013-7081TYPO3 Improper Access Control vulnerability
    >= 4.5.0, < 4.5.31
  • CVE-2013-7080TYPO3 is vulnerable to Mass Assignment in the Extension table administration library
    >= 4.5.0, < 4.5.31
  • CVE-2013-4320TYPO3 Improper Access Management in the File Abstraction Layer
    >= 6.0, < 6.0.9
  • CVE-2010-5104TYPO3 Sensitive Information Disclosure via escapeStrForLike method
    >= 4.2.0, < 4.2.16
  • CVE-2013-7078TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework
    >= 4.5.0, < 4.5.31
  • CVE-2013-7077TYPO3 Cross-site scripting (XSS) vulnerability in the Backend User Administration Module
    >= 6.0, < 6.0.12
  • CVE-2009-3633TYPO3 API function vulnerable to Cross-site Scripting
    from 0, <= 4.0.13
  • CVE-2008-2717typo3-src - several vulnerabilities
    >= 4.0.0, < 4.0.9