CVE-2025-59019

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

Published: Sep 9, 2025
Updated: Sep 10, 2025
CVE: CVE-2025-59019
GHSA: GHSA-j8vm-7q52-2m2m
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
typo3 / cms-backend	12.0.0	12.4.37
typo3 / cms-backend	13.0.0	13.4.18
typo3 / cms-recordlist	11.0.0	12.4.37

https://github.com/TYPO3-CMS/backend/commit/c983415f062c32f8edbb78544a0ff3219bc35d17
https://typo3.org/security/advisory/typo3-core-sa-2025-023

Vulnerability Database

CVE-2025-59019