Filtered by vendor Typo3 Subscriptions
Total 554 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-46724 1 Typo3 1 Extension "faceted Search" 2026-05-20 N/A
The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.
CVE-2026-8827 1 Typo3 1 Extension "address List" 2026-05-20 N/A
The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.
CVE-2026-46725 1 Typo3 1 Extension "content Element Selector" 2026-05-20 N/A
The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.
CVE-2026-6553 1 Typo3 1 Typo3 2026-05-05 7.5 High
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
CVE-2026-4208 2 Mrsilaz, Typo3 2 Mfa Mail, Extension "e-mail Mfa Provider" 2026-04-25 8.8 High
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
CVE-2026-4202 2 Ayacoo, Typo3 2 Redirect Tab, Extension "redirect Tabs" 2026-04-25 4.3 Medium
The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
CVE-2026-1323 2 Cps-it, Typo3 2 Mailqueue, Extension "mailqueue" 2026-04-25 8.8 High
The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].
CVE-2008-2345 1 Typo3 1 Air Filemanager 2026-04-23 N/A
Unspecified vulnerability in the air_filemanager 0.6.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary PHP code via unspecified vectors related to "insufficient file filtering."
CVE-2008-2490 1 Typo3 1 Kj Imagelightbox2 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in the KJ Image Lightbox 2 (aka kj_imagelightbox2) extension 1.4.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified "user input."
CVE-2008-6145 1 Typo3 2 Typo3, Wec Discussion Forum 2026-04-23 N/A
Multiple SQL injection vulnerabilities in the WEC Discussion Forum (wec_discussion) extension 1.7.0 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-6462 2 Kurt Gusbeth, Typo3 2 Myquizpoll, Typo3 2026-04-23 N/A
SQL injection vulnerability in the My quiz and poll (myquizpoll) extension before 0.1.4 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-2344 1 Typo3 1 Air Filemanager 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in the air_filemanager 0.6.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-6463 2 Fr.simon Rundell, Typo3 2 Pd Churchsearch, Typo3 2026-04-23 N/A
SQL injection vulnerability in the Diocese of Portsmouth Church Search (pd_churchsearch) extension before 0.1.1, and 0.2.10 and earlier 0.2.x versions, an extension for TYPO3, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2009-3820 2 Flagbit, Typo3 2 Fb Filebase, Typo3 2026-04-23 N/A
SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-6344 1 Typo3 2 Tu-clausthal Staff, Typo3 2026-04-23 N/A
SQL injection vulnerability in the TU-Clausthal Staff (tuc_staff) 0.3.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-2275 1 Typo3 1 Sr Feuser Register Extension 2026-04-23 N/A
Unspecified vulnerability in sr_feuser_register 1.4.0, 1.6.0, 2.2.1 to 2.2.7, 2.3.0 to 2.3.6, 2.4.0, and 2.5.0 to 2.5.9 extension for TYPO3 allows remote attackers to execute arbitrary code and delete arbitrary files via unspecified attack vectors.
CVE-2008-6457 2 Typo3, Walnutstreet 2 Typo3, Cgswigmore 2026-04-23 N/A
SQL injection vulnerability in the Swigmore institute (cgswigmore) extension before 0.1.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2009-1264 2 Stanislas Rolland, Typo3 2 Sr Feuser Register, Typo3 2026-04-23 N/A
Frontend User Registration (sr_feuser_register) extension 2.5.20 and earlier for TYPO3 does not properly verify access rights, which allows remote authenticated users to obtain sensitive information such as passwords via unknown attack vectors.
CVE-2008-3055 1 Typo3 1 Support View Extension 2026-04-23 N/A
SQL injection vulnerability in the Support view (ext_tbl) extension 0.0.102 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-6458 2 Dieter Mayer, Typo3 2 Fe Address Edit, Typo3 2026-04-23 N/A
SQL injection vulnerability in the FE address edit for tt_address & direct mail (dmaddredit) extension 0.4.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.