CVE Catalog

CVE-2026-49738

LowCVSS 2.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

10th percentile — higher than 10% of all known CVEs

Summary

The path allowance check in GeneralUtility::isAllowedAbsPath() did not require a directory separator boundary, allowing invalid paths to be accepted. Administrators could create new file storage definitions pointing to directories outside the project root.

Risk Assessment

Organizations may be exposed to unauthorized access to files located outside of allowed directories, potentially leading to data leaks or other serious security incidents.

Recommendation

It is recommended to update TYPO3 CMS to versions 10.4.57, 11.5.52, 12.4.47, 13.4.32 or later to mitigate this vulnerability.

Original NVD description (English source)

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS