CVE-2026-47347
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
Applications using GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks.
Risk Assessment
Organizations may be exposed to phishing attacks that could lead to user data theft and loss of trust in the application. Exploitation of this vulnerability can result in serious financial and reputational consequences.
Recommendation
It is recommended to update TYPO3 CMS to versions 10.4.57, 11.5.50, 12.4.45, 13.4.30, or 14.3.2 to mitigate this vulnerability. Additionally, conducting a security audit of the application is advisable to identify and remediate other potential vulnerabilities.
Original NVD description (English source)
Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

