{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49738", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "state": "PUBLISHED", "assignerShortName": "TYPO3", "dateReserved": "2026-06-01T10:52:50.597Z", "datePublished": "2026-06-09T10:53:31.677Z", "dateUpdated": "2026-06-09T10:53:31.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-06-09T10:53:31.677Z"}, "title": "TYPO3 CMS - Broken Access Control in File Abstraction Layer", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "TYPO3", "product": "TYPO3 CMS", "collectionURL": "https://packagist.org", "packageName": "typo3/cms-core", "repo": "https://github.com/TYPO3/typo3", "modules": ["Core"], "versions": [{"status": "affected", "version": "0", "lessThan": "10.4.57", "versionType": "semver"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.5.51", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.4.46", "versionType": "semver"}, {"status": "affected", "version": "13.0.0", "lessThan": "13.4.31", "versionType": "semver"}, {"status": "affected", "version": "14.0.0", "lessThan": "14.3.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.4.57", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.5.51", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.4.46", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.4.31", "versionStartIncluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "versionEndExcluding": "14.3.3", "versionStartIncluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "value": "The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The path allowance check in <code>GeneralUtility::isAllowedAbsPath()</code> performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like <code>/var/www/html-other/secret.yaml</code> to be incorrectly accepted as valid when the project root was <code>/var/www/html</code>. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3."}]}], "references": [{"url": "https://typo3.org/security/advisory/typo3-core-sa-2026-016", "tags": ["vendor-advisory"]}, {"url": "https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d", "name": "Git commit of main branch", "tags": ["patch"]}, {"url": "https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5", "name": "Git commit of 13.4 branch", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Wolfgang Klinger", "type": "reporter"}, {"lang": "en", "value": "Oliver Hader", "type": "remediation developer"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3."}], "id": "CVE-2026-49738", "lastModified": "2026-06-09T11:16:53.247", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}, "published": "2026-06-09T11:16:53.247", "references": [{"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "url": "https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5"}, {"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "url": "https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d"}, {"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-016"}], "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.4.57)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.5.51)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.4.46)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,13.4.31)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,14.3.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "TYPO3 CMS", "source": "cna", "vendor": "TYPO3"}, "product": "typo3", "vendor": "typo3"}], "created": "2026-06-09T12:30:03.984056+00:00", "updated": "2026-06-09T12:30:04.389959+00:00", "vendors": ["typo3", "typo3$PRODUCT$typo3"]}