CVE-2025-59022

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-59022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59022
Aliases
Published
2026-01-13T12:15:50.237Z
Modified
2026-03-15T14:53:46.966519Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
336d6f165458a0ce32d8330999ab9ab6a5983d20
Fixed
a6604db66499710f72ae6e7006beb14ad0913aae
Fixed
efb9528f9882ac924c40598ebd8508479e9950a3
Type
GIT
Repo
https://github.com/typo3/typo3.cms
Events
Introduced
36096733dea4bd6f6168209609fa879dc25c0138
Fixed
29ccb6fc4887fcb0f0ceac5bfd24d4993176c412
Introduced
fd8745e46bb11773e85524b8ee9650dabe340713
Fixed
ef75ec889ef10324e61df83ff994db67c4d45255
Introduced
6d6bd23afff6a48ee3efeaa68eb829820397d6a1
Fixed
62e93122ec75943aba5553b0aa1c6a50c4ccc27f
Database specific 
{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.4.41"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.4.23"
        },
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.0.2"
        }
    ]
}

Affected versions

6.*
6.2.0
6.2.1
6.2.2
6.2.3
7.*
7.0.0
7.1.0
7.2.0
7.3.0
7.4.0
7.5.0
7.6.0
7.6.1
7.6.2
8.*
8.0.0
8.1.0
8.2.0
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
Other
TYPO3_6-1-0rc1
TYPO3_6-2-0
TYPO3_6-2-0alpha1
TYPO3_6-2-0alpha2
TYPO3_6-2-0alpha3
TYPO3_6-2-0beta1
TYPO3_6-2-0beta2
TYPO3_6-2-0beta3
TYPO3_6-2-0beta4
TYPO3_6-2-0beta5
TYPO3_6-2-0beta6
TYPO3_6-2-0beta7
TYPO3_6-2-0rc1
TYPO3_6-2-0rc2
TYPO3_6-2-1
TYPO3_6-2-2
TYPO3_6-2-3
TYPO3_7-0-0
TYPO3_7-1-0
TYPO3_7-2-0
TYPO3_7-3-0
TYPO3_7-4-0
TYPO3_7-5-0
TYPO3_7-6-0
TYPO3_7-6-1
TYPO3_7-6-2
TYPO3_8-0-0
TYPO3_8-1-0
TYPO3_8-2-0
TYPO3_8-3-0
TYPO3_8-4-0
TYPO3_8-5-0
TYPO3_8-6-0
TYPO3_8-7-0
v10.*
v10.0.0
v10.1.0
v10.2.0
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v11.*
v11.0.0
v11.1.0
v11.2.0
v11.3.0
v11.4.0
v11.5.0
v11.5.1
v11.5.2
v11.5.3
v12.*
v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.15
v12.4.16
v12.4.17
v12.4.18
v12.4.19
v12.4.2
v12.4.20
v12.4.21
v12.4.22
v12.4.23
v12.4.24
v12.4.25
v12.4.26
v12.4.27
v12.4.28
v12.4.29
v12.4.3
v12.4.30
v12.4.31
v12.4.32
v12.4.33
v12.4.34
v12.4.35
v12.4.36
v12.4.37
v12.4.38
v12.4.39
v12.4.4
v12.4.40
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v13.*
v13.0.0
v13.1.0
v13.2.0
v13.2.1
v13.3.0
v13.4.0
v13.4.1
v13.4.10
v13.4.11
v13.4.12
v13.4.13
v13.4.14
v13.4.15
v13.4.16
v13.4.17
v13.4.18
v13.4.19
v13.4.2
v13.4.20
v13.4.21
v13.4.22
v13.4.3
v13.4.4
v13.4.5
v13.4.6
v13.4.7
v13.4.8
v13.4.9
v14.*
v14.0.0
v14.0.1
v9.*
v9.0.0
v9.1.0
v9.2.0
v9.3.0
v9.4.0
v9.5.0
v9.5.1
v9.5.2
v9.5.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59022.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "10.0.0"
            },
            {
                "fixed": "10.4.55"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "11.0.0"
            },
            {
                "fixed": "11.5.49"
            }
        ]
    }
]