CVE-2026-47350

Description

Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

Low

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

TYPO3 / TYPO3 CMS13.0.0 – 13.4.31
TYPO3 / TYPO3 CMS14.0.0 – 14.3.3

References

MISChttps://typo3.org/security/advisory/typo3-core-sa-2026-012
PATCHhttps://github.com/TYPO3/typo3/commit/c9898d2e67608eda78f8bd1f06ee9cf05a872a56
PATCHhttps://github.com/TYPO3/typo3/commit/195356996a60e40aeb2cd3e45a5f5c8940d5e116