← Back to CVEs

CVE-2025-59020

MEDIUM

6.5

Description

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

CVE Details

CVSS v3.1 Score6.5

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published1/13/2026

Last Modified1/14/2026

Sourcenvd

Honeypot Sightings0

Affected Products

typo3:typo3

Weaknesses (CWE)

CWE-863

References

https://github.com/TYPO3/typo3/commit/ac3f792bd5ab7c58153fc1075cb9e001c9cebe3b(f4fb688c-4412-4426-b4b8-421ecf27b14a)

https://github.com/TYPO3/typo3/commit/cd11a19958d823d12d028f9345b41739c7e70118(f4fb688c-4412-4426-b4b8-421ecf27b14a)

https://github.com/TYPO3/typo3/commit/fb98378a8fd30dd50d89a3d1a420780819f38232(f4fb688c-4412-4426-b4b8-421ecf27b14a)

https://typo3.org/security/advisory/typo3-core-sa-2026-001(f4fb688c-4412-4426-b4b8-421ecf27b14a)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.