CVE-2025-59018

MEDIUM

Typo3 < 9.5.55 - Information Disclosure

Title source: rule

Description

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

References (1)

[Vendor Advisory] https://typo3.org/security/advisory/typo3-core-sa-2025-022

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 14.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (2)

typo3/typo3 < 9.5.55

typo3/cms-workspaces < 12.4.37Packagist

Timeline

Published Sep 09, 2025

Tracked Since Feb 18, 2026