CVE-2025-59020 MEDIUM

CVE-2025-59020: TYPO3 CMS Allows Broken Access Control in Edit Document Controller

Vendor Typo3

Product TYPO3 CMS

Weakness CWE-863 · Incorrect authorization

Published January 13, 2026

Last update January 13, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Key dates

Disclosure timeline

January 13, 2026 CVE published

January 13, 2026 Record updated

Identifiers

CVE CVE-2025-59020

CWE CWE-863

CVSS 5.3 / MEDIUM

Affected versions

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 10.0.0 and < 10.4.55

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 11.0.0 and < 11.5.49

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 12.0.0 and < 12.4.41

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 13.0.0 and < 13.4.23

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 14.0.0 and < 14.0.2