CVE-2026-47351: TYPO3 CMS: Broken Access Control in Media Module
Problem
Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view.
Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
TYPO3 CMS thanks Vincent Yang for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.
Resources
References
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47351.yaml
- github.com/TYPO3/typo3/commit/2740707563343d78184c0b7c6303a7484553d7f3
- github.com/TYPO3/typo3/commit/932fbb9fcea25094e8bcc0f0ec5aab56b1d92451
- github.com/TYPO3/typo3/security/advisories/GHSA-q93m-25xv-94hh
- github.com/advisories/GHSA-q93m-25xv-94hh
- nvd.nist.gov/vuln/detail/CVE-2026-47351
- typo3.org/security/advisory/typo3-core-sa-2026-014
Code Behaviors & Features
Detect and mitigate CVE-2026-47351 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →