CVE-2025-47937

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via FrontendGroupRestriction to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

Published: May 20, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-47937
GHSA: GHSA-x8pv-fgxp-8v3x
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
typo3 / cms-core	9.0.0	9.5.51
typo3 / cms-core	10.0.0	10.4.50
typo3 / cms-core	11.0.0	11.5.44
typo3 / cms-core	12.0.0	12.4.31
typo3 / cms-core	13.0.0	13.4.12

Vulnerability Database

290,020

CVE-2025-47937