CVE-2026-49742

216.73.216.6

· Published 09/06/2026 11:16 · Modified 09/06/2026 13:46

Labels: CVE-2026-49742 2026-06-09 CVE-2026-49742 CWE-22 f4fb688c-4412-4426-b4b8-421ecf27b14a

Essential information

Published: 09/06/2026 11:16
Modified: 09/06/2026 13:46
Author: —
Creator: —
CVSS: 7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: f4fb688c-4412-4426-b4b8-421ecf27b14a
NVD: View on NVD

Affected products (CPE)

Product	CPE
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:11.0.0-11.5.50:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:12.0.0-12.4.45:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:13.0.0-13.4.30:::::::*`
typo3 / typo3 cms	`cpe:2.3:a:typo3:typo3_cms:14.0.0-14.3.2:::::::*`