CVE Catalog

CVE-2026-49742

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile - higher than 11% of all known CVEs

Summary

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. This issue could expose sensitive files such as log files.

Risk Assessment

The exposure of sensitive files may lead to data security breaches and potential attacks on the system.

Recommendation

It is recommended to update TYPO3 CMS to the latest version to mitigate this vulnerability and to restrict file download permissions for backend users.

Original NVD description (English source)

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS