CVE-2025-59019

MEDIUM

Typo3 < 11.5.48 - Information Disclosure

Title source: rule

Description

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

References (1)

[Vendor Advisory] https://typo3.org/security/advisory/typo3-core-sa-2025-023

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (3)

typo3/typo3 < 11.5.48

typo3/cms-backend < 12.4.37Packagist

typo3/cms-recordlist < 12.4.37Packagist

Timeline

Published Sep 09, 2025

Tracked Since Feb 18, 2026