CVE-2025-47940 HIGH

CVE-2025-47940: TYPO3 CMS Vulnerable to Privilege Escalation to System Maintainer

Vendor Typo3

Product typo3

Weakness CWE-283

Published May 20, 2025

Last update May 20, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

Key dates

Disclosure timeline

May 20, 2025 CVE published

May 20, 2025 Record updated

Identifiers

CVE CVE-2025-47940

CWE CWE-283

CVSS 7.2 / HIGH

Affected versions

Vendor Typo3

Product typo3

Affected >= 10.0.0, < 10.4.50

Vendor Typo3

Product typo3

Affected >= 11.0.0, < 11.5.44

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.4.31

Vendor Typo3

Product typo3

Affected >= 13.0.0, < 13.4.12