CVE-2025-59022HIGH 8.1EPSS p29.7%

CVE-2025-59022CVE-2025-59022

Description

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.7% · 2026-06-18T12:00:27Z
Published2026-01-13
Last modified2026-01-14

Underlying weaknesses· 1

CWE-862

References

  1. https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20
  2. https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae
  3. https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3
  4. https://typo3.org/security/advisory/typo3-core-sa-2026-003

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-47349
CVE
CVE-2025-59017
CVE
CVE-2026-47352
CVE
CVE-2026-47351
CVE
CVE-2026-47350
CVE
CVE-2026-47343
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.