CVE-2026-47347 MEDIUM

CVE-2026-47347: TYPO3 CMS - Open Redirect in Core Utilities

Vendor Typo3

Product TYPO3 CMS

Weakness CWE-601 · Open redirect

Published June 9, 2026

Last update June 9, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

Description

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Key dates

Disclosure timeline

June 9, 2026 CVE published

June 9, 2026 Record updated

Identifiers

CVE CVE-2026-47347

CWE CWE-601

CVSS 5.3 / MEDIUM

Affected versions

Vendor Typo3

Product TYPO3 CMS

Affected < 10.4.57

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 11.0.0 and < 11.5.51

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 12.0.0 and < 12.4.46

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 13.0.0 and < 13.4.31

Vendor Typo3

Product TYPO3 CMS

Affected ≥ 14.0.0 and < 14.3.3