CVE-2026-49738

UNKNOWN 0.0

TYPO3 CMS - Broken Access Control in File Abstraction Layer

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

10th

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

CWE	CWE-22
Vendor	typo3
Product	typo3 cms
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS

0 < 10.4.57 11.0.0 < 11.5.51 12.0.0 < 12.4.46 13.0.0 < 13.4.31 14.0.0 < 14.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-016 github.com: https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d github.com: https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5

Credits

🔍 Wolfgang Klinger Oliver Hader