Back to search
CVE-2025-59020
Published: Jan 13, 2026
Modified: Jan 13, 2026
PUBLISHED
Description
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
| Vendor | Product | Versions |
|---|---|---|
TYPO3 | TYPO3 CMS | affected 10.0.0 - < 10.4.55affected 11.0.0 - < 11.5.49affected 12.0.0 - < 12.4.41affected 13.0.0 - < 13.4.23affected 14.0.0 - < 14.0.2 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now