Description
Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TYPO3 CMS suffered a broken access control flaw in the clipboard feature. Back-end users could inject arbitrary records and files into the clipboard without the system enforcing read‑permission checks, allowing them to discover and view content that should have been invisible to them. This weakness directly permits unauthorized data disclosure and leaves sensitive records and files exposed to any authenticated backend user.

Affected Systems

The vulnerability applies to TYPO3 CMS versions 10.4.0 through 13.4.30 and 14.0.0 through 14.3.2 provided by TYPO3:TYPO3 CMS.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, indicating a moderate severity. EPSS information is not provided, and the issue is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated back‑end user with access to the TYPO3 administrative interface; through normal use of the clipboard, the attacker can gather information they are not entitled to. No remote code execution or privilege escalation beyond data exposure is described in the data available.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 to a version that includes the clipboard access‑control patch, for example any release after 14.3.2 or apply the patch identified in the vendor commit 2740707563343d78184c0b7c6303a7484553d7f3.
  • If an immediate upgrade is not possible, disable the clipboard feature for all backend users or restrict its use to a minimal set of trusted accounts.
  • Review and tighten role‑based permissions so that backend users only have read rights to the records and files they legitimately need to access.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.
Title TYPO3 CMS - Broken Access Control in Clipboard
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-200
CWE-862
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:50:05.766Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47351

cve-icon Vulnrichment

Updated: 2026-06-09T13:49:33.726Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:52.993

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization