CVE-2026-49742
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. This issue could expose sensitive files such as log files.
Risk Assessment
The exposure of sensitive files may lead to data security breaches and potential attacks on the system.
Recommendation
It is recommended to update TYPO3 CMS to the latest version to mitigate this vulnerability and to restrict file download permissions for backend users.
Original NVD description (English source)
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

