CVE-2026-47350

UNKNOWN 0.0

TYPO3 CMS - Broken Access Control in DataHandler

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

9th

Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.

CWE	CWE-862
Vendor	typo3
Product	typo3 cms
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS

13.0.0 < 13.4.31 14.0.0 < 14.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-012 github.com: https://github.com/TYPO3/typo3/commit/c9898d2e67608eda78f8bd1f06ee9cf05a872a56 github.com: https://github.com/TYPO3/typo3/commit/195356996a60e40aeb2cd3e45a5f5c8940d5e116

Credits

🔍 Hyunseo Shin Torben Hansen