Description
Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TYPO3 CMS applications that use the built‑in sanitization routine GeneralUtility::sanitizeLocalUrl to permit only local URLs are vulnerable to open redirect attacks once the sanitized URL is later processed. An attacker can embed a crafted URL that passes the sanitization checks and then redirect unsuspecting users to malicious or phishing sites. The primary consequence is the potential for credential theft or delivery of malicious content, with the weakness mapped to CWE‑601: Open Redirect.

Affected Systems

TYPO3 CMS versions prior to 10.4.57, 11.0.0‑11.5.50, 12.0.0‑12.4.45, 13.0.0‑13.4.30, and 14.0.0‑14.3.2 are affected. The vulnerability is present in the core utilities of the CMS and impacts any site that enables external links through GeneralUtility::sanitizeLocalUrl.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate overall risk. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting a lower probability of widespread exploitation. Nevertheless, the attack vector is likely remote, via crafted URLs submitted to the web application. An attacker who can embed an external link within user‑controlled input and subsequently cause the CMS to use that link can redirect users without needing additional privileges.

Generated by OpenCVE AI on June 9, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 CMS to a supported release: 10.4.57 or later, 11.5.50 or later, 12.4.45 or later, 13.4.30 or later, and 14.3.2 or later.
  • If an upgrade is not immediately possible, disable or remove any code paths that pass untrusted URLs through GeneralUtility::sanitizeLocalUrl.
  • Validate all user‑supplied URLs server‑side to ensure they are absolute local paths and reject any that resolve to external domains.

Generated by OpenCVE AI on June 9, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Title TYPO3 CMS - Open Redirect in Core Utilities
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-601
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:53:41.403Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47347

cve-icon Vulnrichment

Updated: 2026-06-09T13:53:37.366Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:52.457

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses