{"uuid": "b4ff61a7-11ad-4bad-95fb-b61120217230", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47349", "type": "seen", "source": "https://gist.github.com/alon710/a08953cadcdf16e9be0dd04a2434d31a", "content": "# CVE-2026-47349: CVE-2026-47349: Missing Authorization in TYPO3 CMS DataHandler Record Restoration\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-12\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47349\n\n## Summary\nAn authenticated backend user with access to the Recycler module in TYPO3 CMS can bypass write restrictions and restore soft-deleted records on pages or database tables they are not authorized to modify. This vulnerability resides in the core DataHandler class due to missing permission checks during 'undelete' operations.\n\n## TL;DR\nUnprivileged TYPO3 backend users can exploit the Recycler module to restore and modify unauthorized database records across page boundaries.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862: Missing Authorization\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0**: 5.3 (Medium)\n- **EPSS Score**: 0.00414 (32.77th percentile)\n- **Impact**: Privilege Escalation / Unauthorized Write Access\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- TYPO3 CMS 10.0.0 to 10.4.56\n- TYPO3 CMS 11.0.0 to 11.5.50\n- TYPO3 CMS 12.0.0 to 12.4.45\n- TYPO3 CMS 13.0.0 to 13.4.30\n- TYPO3 CMS 14.0.0 to 14.3.2\n- **TYPO3 CMS**: >= 10.0.0 < 10.4.57 (Fixed in: `10.4.57 ELTS`)\n- **TYPO3 CMS**: >= 11.0.0 < 11.5.51 (Fixed in: `11.5.51 ELTS`)\n- **TYPO3 CMS**: >= 12.0.0 < 12.4.46 (Fixed in: `12.4.46 ELTS`)\n- **TYPO3 CMS**: >= 13.0.0 < 13.4.31 (Fixed in: `13.4.31 LTS`)\n- **TYPO3 CMS**: >= 14.0.0 < 14.3.3 (Fixed in: `14.3.3 LTS`)\n\n## Mitigation\n\n- Upgrade TYPO3 CMS to a patched version (10.4.57, 11.5.51, 12.4.46, 13.4.31, 14.3.3 or higher).\n- Remove access to the Recycler module (ext:recycler) for non-administrative backend user groups.\n- Implement database logging audits to monitor for unauthorized database restoration commands.\n\n**Remediation Steps:**\n1. Identify the current active TYPO3 branch (10, 11, 12, 13, or 14).\n2. Apply the corresponding security update using Composer or the official source archives.\n3. Verify user group permissions to ensure low-privileged editors only possess access to designated database tables and pages.\n4. Review the TYPO3 System Log database table (sys_log) for occurrences of USER_ERROR entries regarding undelete record attempts.\n\n## References\n\n- [TYPO3 Security Advisory TYPO3-CORE-SA-2026-011](https://typo3.org/security/advisory/typo3-core-sa-2026-011)\n- [CVE Registry Record](https://www.cve.org/CVERecord?id=CVE-2026-47349)\n- [CWE-862 Weakness Definition](https://cwe.mitre.org/data/definitions/862.html)\n- [TYPO3 Core 13.4 Security Fix](https://github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8)\n- [TYPO3 Core Main Branch Security Fix](https://github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47349) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T14:51:47.000000Z"}