CVE-2026-49742

UNKNOWN 0.0

TYPO3 CMS - Broken Access Control in Media Module

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

11th

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

CWE	CWE-22 CWE-200
Vendor	typo3
Product	typo3 cms
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS

11.0.0 < 11.5.51 12.0.0 < 12.4.46 13.0.0 < 13.4.31 14.0.0 < 14.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-013 github.com: https://github.com/TYPO3/typo3/commit/caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae github.com: https://github.com/TYPO3/typo3/commit/ad636b6183843b57c758a1e12174a75093ac93c3

Credits

🔍 Hyunseo Shin Torben Hansen