CVE-2025-59018

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

Published: Sep 9, 2025
Updated: Sep 10, 2025
CVE: CVE-2025-59018
GHSA: GHSA-w2pf-7q5w-2cgw
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
typo3 / cms-workspaces	9.0.0	12.4.37
typo3 / cms-workspaces	10.0.0	12.4.37
typo3 / cms-workspaces	11.0.0	12.4.37
typo3 / cms-workspaces	12.0.0	12.4.37
typo3 / cms-workspaces	13.0.0	13.4.18

https://github.com/TYPO3-CMS/workspaces/commit/114c189c7b30181cee96d176e31f212b02d14d4d
https://typo3.org/security/advisory/typo3-core-sa-2025-022

Vulnerability Database

CVE-2025-59018