php · typo3/cms-coreCritical

typo3/cms-core: Missing authorization check allows non-privileged users to modify root folders of file mounts

Non-privileged backend users with file mount access could perform write operations (move, delete, rename) on root folders of active file mounts due to missing a

13 Jun 2026Read 1 minSeverity: act now

What changed

Non-privileged backend users with file mount access could perform write operations (move, delete, rename) on root folders of active file mounts due to missing authorization restrictions.

Who it affects

TYPO3 CMS versions before 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS.

What to do today

Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · typo3/cms-core

typo3/cms-core: Missing authorization check allows non-privileged users to modify root folders of file mounts

What changed

Who it affects

What to do today

More on typo3/cms-core

Firefly III Stored XSS in Piggy Bank Names via Audit Logs

typo3/html-sanitizer: Whitespace-variant closing tags bypass sanitization when ALLOW_INSECURE_RAW_TEXT is enabled