CVE & Exploit Intelligence Database

Updated 57m ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

337,123 CVEs tracked 53,219 with exploits 4,686 exploited in wild 1,539 CISA KEV 3,912 Nuclei templates 37,757 vendors 42,422 researchers

21 results Clear all

CVE-2025-59020 6.5 MEDIUM 1 Writeup EPSS 0.00

Typo3 < 10.4.55 - Incorrect Authorization

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

CWE-863 Jan 13, 2026

CVE-2025-59019 4.3 MEDIUM EPSS 0.00

Typo3 < 11.5.48 - Information Disclosure

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

CWE-200 Sep 09, 2025

CVE-2025-59017 8.8 HIGH EPSS 0.00

Typo3 < 9.5.55 - Missing Authorization

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

CWE-862 Sep 09, 2025

CVE-2025-59014 2.7 LOW EPSS 0.00

TYPO3 CMS <13.4.17 - DoS

An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.

CWE-248 Sep 09, 2025

CVE-2025-47941 7.2 HIGH EPSS 0.00

TYPO3 <12.4.31 LTS & <13.4.2 LTS - Auth Bypass

TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend routes. Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after successful authentication. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.

CWE-288 May 20, 2025

CVE-2024-34537 4.9 MEDIUM EPSS 0.00

TYPO3 <13.3.1 - DoS

TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, and 13.3.1.

CVE-2024-47780 3.1 LOW EPSS 0.00

TYPO3 - Info Disclosure

TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. Users are advised to update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. There are no known workarounds for this vulnerability.

CWE-863 Oct 08, 2024

CVE-2021-21370 5.4 MEDIUM EPSS 0.00

Typo3 < 7.6.51 - XSS

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 it has been discovered that content elements of type _menu_ are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

CWE-79 Mar 23, 2021

CVE-2021-21340 5.4 MEDIUM EPSS 0.00

Typo3 < 10.4.14 - XSS

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 10.4.14, 11.1.1 it has been discovered that database fields used as _descriptionColumn_ are vulnerable to cross-site scripting when their content gets previewed. A valid backend user account is needed to exploit this vulnerability. This is fixed in versions 10.4.14, 11.1.1 .

CWE-79 Mar 23, 2021

CVE-2010-3664 6.5 MEDIUM EPSS 0.01

Typo3 < 4.1.14 - Information Disclosure

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.

CWE-200 Nov 04, 2019

CVE-2010-3663 8.8 HIGH EPSS 0.03

Typo3 < 4.1.14 - Unrestricted File Upload

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.

CWE-434 Nov 04, 2019

CVE-2010-3662 8.8 HIGH EPSS 0.00

Typo3 < 4.1.14 - SQL Injection

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.

CWE-89 Nov 04, 2019

CVE-2010-3661 6.1 MEDIUM EPSS 0.00

Typo3 < 4.1.14 - Open Redirect

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Open Redirection on the backend.

CWE-601 Nov 01, 2019

CVE-2010-3660 5.4 MEDIUM EPSS 0.00

Typo3 < 4.1.14 - XSS

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows XSS on the backend.

CWE-79 Nov 01, 2019

CVE-2010-3659 5.4 MEDIUM EPSS 0.00

Typo3 < 4.1.14 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms.

CWE-79 Oct 20, 2017

CVE-2010-3715 EPSS 0.00

Typo3 < 4.2.15 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (2) the backend.

CWE-79 Oct 25, 2010

CVE-2009-3631 EPSS 0.01

Typo3 < 4.0.12 - Code Injection

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.

CWE-94 Nov 02, 2009

CVE-2009-3630 EPSS 0.01

TYPO3 <4.0.13, <4.1.13, <4.2.10, <4.3beta2 - Frame Hijacking

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue.

CVE-2009-3629 EPSS 0.00

Typo3 < 4.0.13 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CWE-79 Nov 02, 2009

CVE-2009-3628 EPSS 0.00

Typo3 < 4.0.12 - Information Disclosure

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.

CWE-200 Nov 02, 2009