CVE-2025-59022

Source
https://cve.org/CVERecord?id=CVE-2025-59022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59022
Aliases
Published
2026-01-13T11:53:45.184Z
Modified
2026-07-15T01:49:16.985707093Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
TYPO3 CMS Allows Broken Access Control in Recycler Module
Details

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59022.json",
    "cwe_ids": [
        "CWE-862"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "10.0.0"
                },
                {
                    "fixed": "10.4.55"
                },
                {
                    "introduced": "11.0.0"
                },
                {
                    "fixed": "11.5.49"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "TYPO3"
}
References

Affected packages

Git / github.com/benjaminkott/bootstrap_package

Affected ranges

Type
GIT
Repo
https://github.com/benjaminkott/bootstrap_package
Events
Database specific
{
    "cpe": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.0.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/typo3/typo3
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.4.41"
        },
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.4.23"
        },
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.0.2"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*"
}

Affected versions

14.*
14.0.0
14.0.1
v12.*
v12.0.0
v12.1.0
v12.2.0
v12.3.0
v12.4.0
v12.4.1
v12.4.10
v12.4.11
v12.4.12
v12.4.13
v12.4.14
v12.4.15
v12.4.16
v12.4.17
v12.4.18
v12.4.19
v12.4.2
v12.4.20
v12.4.21
v12.4.22
v12.4.23
v12.4.24
v12.4.25
v12.4.26
v12.4.27
v12.4.28
v12.4.29
v12.4.3
v12.4.30
v12.4.31
v12.4.32
v12.4.33
v12.4.34
v12.4.35
v12.4.36
v12.4.37
v12.4.38
v12.4.39
v12.4.4
v12.4.40
v12.4.5
v12.4.6
v12.4.7
v12.4.8
v12.4.9
v13.*
v13.0.0
v13.1.0
v13.2.0
v13.2.1
v13.3.0
v13.4.0
v13.4.1
v13.4.10
v13.4.11
v13.4.12
v13.4.13
v13.4.14
v13.4.15
v13.4.16
v13.4.17
v13.4.18
v13.4.19
v13.4.2
v13.4.20
v13.4.21
v13.4.22
v13.4.3
v13.4.4
v13.4.5
v13.4.6
v13.4.7
v13.4.8
v13.4.9
v14.*
v14.0.0
v14.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59022.json"