Official TYPO3 News

Announcing a Third Election Round for the TYPO3 Association Board

Wed, 08 Apr 2026 20:30:33 +0200

Since none of the remaining candidates achieved 50% of the votes in the second round, members are asked to vote in a final round. If the necessary support is not reached, the election for the third position will be considered unsuccessful.

Vote Now! Budget 2026 Ideas for Round Two Have Been Published

Wed, 08 Apr 2026 10:42:22 +0200

The call for community budget ideas for the second round of 2026 was successful: Seven Community and three Team ideas have made it to the poll. These ideas can now be discussed and TYPO3 Association members can cast their vote.

This Month in TYPO3: March, 2026

Tue, 07 Apr 2026 10:37:48 +0200

March went out with a bang. TYPO3 v14.2 shipped on the final day of the month, the Association elections saw an 18% surge in voter participation, and three extension security advisories landed mid-month. With v14 LTS queued for 21 April and the community calendar filling fast, the momentum heading into spring is undeniable.

Improving Fluid Developer Experience with TYPO3 v14

Thu, 02 Apr 2026 00:00:00 +0200

Simon Praetorius gives us an update on his Community Budget idea for improving the Fluid developer experience — and the first results are already landing in Fluid 5.2.

TYPO3 Contribution in Numbers: March 2026

Wed, 01 Apr 2026 06:03:42 +0200

See the full recap of TYPO3's March core contributions with 66 contributors, 255 reviews, bug fixes, features, and a big thank-you to our developers.

TYPO3 v14.2—Refined Where It Matters

Tue, 31 Mar 2026 07:08:00 +0200

Today we proudly released TYPO3 version 14.2—and you won't be disappointed! You'll find new features, improvements, and optimizations in every corner of the system. Read on to learn more about what's new in the last sprint release before the v14 LTS launch in April 2026.

Results of the 2026 TYPO3 Association Elections

Tue, 31 Mar 2026 07:00:00 +0200

When the election closed, more than 380 members had cast their votes. This is an 18% increase from 2025. Another voting round will take place to select the final board member.

How to Upgrade an Outdated TYPO3 Version: Our Step-by-Step Guide

Thu, 26 Mar 2026 07:00:00 +0100

Learn how to check if your TYPO3 version is outdated and choose the best way to upgrade your TYPO3 website.

TYPO3 and its Accessibility in the Backend — Changes from v6 to v14

Wed, 25 Mar 2026 10:32:51 +0100

A look at how the TYPO3 community has tackled backend accessibility over the years — and what a dedicated sprint in 2025 revealed about how far it's come, and how far it still has to go.

Extended Long-Term Support (ELTS) for TYPO3 v12: Presale starts 1 April 2026

Wed, 25 Mar 2026 09:05:00 +0100

Prepare for the end of TYPO3 v12 LTS free support on 30 April 2026. Consider extending your current system's life with ELTS for critical security updates and bug fixes.

Join the TYPO3 v14 LTS Launch Celebrations

Tue, 24 Mar 2026 06:01:00 +0100

Join the TYPO3 community in marking the release of TYPO3 v14 LTS. The official release day is 21 April 2026, and we’re excited to highlight release parties happening across the ecosystem.

Changing the Playing Field — Visual Editing in TYPO3 v14

Tue, 17 Mar 2026 16:52:11 +0100

Last weekend at Web Camp Venlo, developer Matthias Vogel demonstrated how the default Camino theme supports visual editing in TYPO3 v14. I believe this is a quantum leap for our CMS, both in terms of usability and for its appeal to potential clients.

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

Tue, 17 Mar 2026 10:02:00 +0100

Release Date: March 17, 2026Updated: March 22, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "E-Mail MFA Provider" (mfa_email)Composer Package Name: ralffreit/mfa-emailVulnerability Type: Authentication BypassAffected Versions: 2.0.0, 1.0.5 and belowSeverity: HighSuggested CVSS v4.0: AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences: CVE-2026-4208, CWE-288

Problem Description

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

The vulnerability is only exploitable, when the “E-Mail MFA Provider” is not the default MFA provider and when at least one other MFA provider is available to the user.

Solution

Updated versions 2.0.1 and 1.0.7 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/mfa_email/2.0.1/zip
https://extensions.typo3.org/extension/download/mfa_email/1.0.7/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Jan Holtkötter for reporting the vulnerability and to Ralf Freit for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Broken Access Control in extension "Redirect Tab" (redirect_tab)

Tue, 17 Mar 2026 10:01:00 +0100

Release Date: March 17, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "Redirect Tab" (redirect_tab)Composer Package Name: ayacoo/redirect-tabVulnerability Type: Broken Access ControlAffected Versions: 4.0.0 - 4.0.4, 3.0.0 - 3.1.6, 2.1.1 and belowSeverity: LowSuggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences: CVE-2026-4202, CWE-862, CWE-200

Problem Description

The extension fails to verify, if an authenticated user has permissions to access redirects resulting in exposure of redirect records when editing a page.

Solution

Updated versions 4.0.5, 3.1.7 and 2.1.2 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/redirect_tab/4.0.5/zip
https://extensions.typo3.org/extension/download/redirect_tab/3.1.7/zip
https://extensions.typo3.org/extension/download/redirect_tab/2.1.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Guido Schmechel for reporting the vulnerability and for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Insecure Deserialization in extension "Mailqueue" (mailqueue)

Tue, 17 Mar 2026 10:00:00 +0100

Release Date: March 17, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "Mailqueue" (mailqueue)Composer Package Name: cpsit/typo3-mailqueueVulnerability Type: Insecure DeserializationAffected Versions: 0.5.0 - 0.5.1, 0.4.4 and belowSeverity: MediumSuggested CVSS v4.0: AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:HReferences: CVE-2026-1323, CWE-502

Problem Description

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

Solution

Updated versions 0.5.2 and 0.4.5 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/mailqueue/0.4.5/zip
https://extensions.typo3.org/extension/download/mailqueue/0.5.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to TYPO3 security team member Elias Häußler for reporting the vulnerability and for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

This Month in TYPO3: February, 2026

Fri, 13 Mar 2026 11:29:38 +0100

February kept the momentum going. Two maintenance releases kept production stable, the Board dropped an activity report, and nominations opened for Board and Business Control Committee seats. Content Blocks cleared the v14 milestone, and Europe's digital sovereignty shift moved TYPO3 into sharper strategic focus. March has a packed calendar waiting.

My First Day on the Frontline — Report From a Best Practice Remote Code Sprint

Thu, 12 Mar 2026 09:48:32 +0100

With the new year just around the corner, I attended a Remote Code Sprint of the Best Practices Team for the very first time ever.

First TYPO3 Marketing Sprint 2026 in Berlin

Wed, 11 Mar 2026 07:00:00 +0100

Help us shape the official TYPO3 v14 LTS narrative! Join the hybrid Marketing Sprint in Berlin on April 13-14, 2026. Secure your spot and register now.

TYPO3 13.4.27 and 12.4.44 maintenance releases published

Tue, 10 Mar 2026 13:30:00 +0100

The versions 13.4.27 and 12.4.44 of the TYPO3 Enterprise Content Management System have just been released.

From Billable Hours to Scalable Products

Tue, 10 Mar 2026 07:50:00 +0100

Digital agencies typically grow by taking on more projects and increasing team capacity. This model works well for delivering client services, but it also creates a structural limit: revenue remains closely tied to billable time.

TYPO3 Returns to CloudFest 2026

Mon, 09 Mar 2026 07:00:00 +0100

TYPO3 returns to CloudFest 2026. Explore how we’re collaborating with the FAIR project and Open Website Alliance to prepare for the Cyber Resilience Act.

Second Call for Community Budget Ideas in 2026

Wed, 04 Mar 2026 16:12:20 +0100

The TYPO3 Association has officially launched the second community budget idea process of 2026. This is the second round of the refreshed, more focused approach to funding community-driven and team-driven initiatives.

New TYPO3 Certification Pricing and Bundle Offer – Effective March 2026

Tue, 03 Mar 2026 07:11:00 +0100

Discover the new TYPO3 certification pricing and bundle model effective March 2026. Transparent costs, mock exams, and two-year planning security.

Getting TYPO3 v14 Over the Finish Line: Our Week at the Rosenheim Code Sprint

Mon, 02 Mar 2026 19:58:40 +0100

With a clear mission to complete outstanding v14 tasks, Marno shares the highlights from our team sprint in Rosenheim, Germany, where collaboration and focused effort brought us closer to the final release.

TYPO3 Contribution in Numbers: February 2026

Mon, 02 Mar 2026 13:49:23 +0100

See the full recap of TYPO3's February core contributions with 76 contributors, 239 reviews, bug fixes, features, and a big thank-you to our developers.

We Are Looking for Candidates for the Board and Business Control Committee

Thu, 26 Feb 2026 09:11:00 +0100

Are you a passionate member of the community? Do you have a vision for TYPO3's future? Whether you are a developer or a non-code contributor, TYPO3 needs dedicated people to help guide the project and serve the community.

The TYPO3 Camp Baden-Württemberg Is Back!

Wed, 25 Feb 2026 09:50:32 +0100

This German-language event brings together the TYPO3 community for two days of knowledge exchange and collaboration.

Board Report: New Responsibilities, Community Work, and a Look-Out for 2026

Tue, 24 Feb 2026 11:23:45 +0100

During the third and fourth quarter of 2025, the TYPO3 Board focused on strengthening governance structures, expanding cross-community networking, and driving technical innovation. From preparing for new EU regulations to active participation in international camps, here is an overview of the board's recent activities.

TYPO3 14.1.1, 13.4.26 and 12.4.43 maintenance releases published

Fri, 20 Feb 2026 10:30:00 +0100

The versions 14.1.1, 13.4.26 and 12.4.43 of the TYPO3 Enterprise Content Management System have just been released.

Digital Sovereignty and Open Source: Europe’s Shifting Technology Foundations

Thu, 19 Feb 2026 09:34:00 +0100

European organizations are reassessing their tech stacks as digital sovereignty becomes a necessity. Learn why open source is emerging as a strategic alternative.

Debunking 7 Common Myths about Open Source CMS

Thu, 12 Feb 2026 13:47:00 +0100

Debunk common myths about open source CMSs and learn how open source solutions like TYPO3 deliver security, scalability, innovation, and enterprise value.

In Memory of Jens Liesegang

Thu, 12 Feb 2026 09:04:00 +0100

It is with great sadness that we learned of the passing of our esteemed colleague and companion Jens Liesegang.

Content Blocks: Q4/2025 Milestones and Q1/2026 Goals

Wed, 11 Feb 2026 15:02:02 +0100

The Content Types Team wrapped up the major milestone of TYPO3 v14 support and focused on the long-awaited Content Blocks GUI.

TYPO3 13.4.25 maintenance release published

Tue, 10 Feb 2026 11:00:00 +0100

The version 13.4.25 of the TYPO3 Enterprise Content Management System has just been released.

Community Budget Report: A PHP Firewall for TYPO3

Thu, 05 Feb 2026 00:00:00 +0100

Sascha Egerer provides an update on his Community Budget Idea to add a PHP-based firewall to TYPO3, helping site owners block common attacks even when they can’t rely on server-level security.

Generating QR codes with TYPO3 v14

Tue, 03 Feb 2026 08:49:55 +0100

With version 14.1 editors now have the ability to generate and download QR codes and have them link back to pages in the page tree.

TYPO3 Contribution in Numbers: January 2026

Mon, 02 Feb 2026 16:00:00 +0100

See the full recap of TYPO3’s January core contributions with 53 contributors, 163 reviews, bug fixes, features, and a big thank-you to our developers.

This Month in TYPO3: January 2026

Mon, 02 Feb 2026 11:15:31 +0100

New year, new vibe. The v14.1 announcement and Camino, the new default theme, give TYPO3 a fresh look, and security releases keep production calm. A thoughtful note on open-source AI stewardship and four funded community ideas for Round One 2026 set an optimistic tone for the year.

Introducing Camino – TYPO3's New Default Theme

Thu, 29 Jan 2026 11:41:00 +0100

Earlier this month we saw the release of TYPO3 14.1 and with it came the introduction of Camino – TYPO3’s new default theme.

Members Have Selected Four Ideas to be Funded in Round One 2026

Wed, 28 Jan 2026 00:00:00 +0100

The TYPO3 Association member poll for Round One in 2026 budget ideas has been finished and this time four winning ideas will be funded by the TYPO3 Association.

TYPO3 Association Board Report January–August 2025

Tue, 27 Jan 2026 12:00:00 +0100

This report gives insights into the TYPO3 Association Board’s activities during the first eight months of 2025, as well as some background information on ongoing projects and processes. It also recaps the General Assembly and gives insights into the Board’s strategic focus areas for the year.

Open Source, AI, and the Need for Shared Stewardship

Thu, 22 Jan 2026 13:40:35 +0100

In this conversation starter, Olivier Dobberkau outlines the pressures facing open source in the age of AI, and invites the TYPO3 community to rethink stewardship, responsibility, and sustainability together.

TYPO3 v14.1—New Look, New Feel

Tue, 20 Jan 2026 13:46:00 +0100

The second sprint release of the TYPO3 v14 series comes with an awesome frontend theme out-of-the-box, further user interface optimization in the backend, a new module to generate QR codes, plus a range of updates and improvements.

Vulnerability in bundled package in extension "Amazon AWS SDK" (aws)

Tue, 20 Jan 2026 08:33:00 +0100

Release Date: January 20, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "Amazon AWS SDK" (aws)Composer Package Name: Not availableVulnerability Type: Broken or Risky Cryptographic AlgorithmAffected Versions: 3.161.2 and belowSeverity: MediumSuggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences: CVE-2025-14761, CWE-1395, CWE-327

Problem Description

The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

Solution

All versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository, because the extension is outdated and unmaintained.

Please uninstall and delete the extension folder from your installation and search on the TYPO3 Extension Repository for alternative extensions.

Credits

Thanks to Michael Schams for reporting the vulnerability.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Vulnerability in bundled package in extension "Amazon Web Services (AWS) Toolbox" (aws_tools)

Tue, 20 Jan 2026 08:32:00 +0100

Release Date: January 20, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "Amazon Web Services (AWS) Toolbox" (aws_tools)Composer Package Name: leuchtfeuer/aws-toolsVulnerability Type: Broken or Risky Cryptographic AlgorithmAffected Versions: 12.0.0 - 12.0.1, 11.0.3 and belowSeverity: MediumSuggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N References: CVE-2025-14761, CWE-1395, CWE-327

Problem Description

The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

Solution

Updated versions 11.0.4 and 12.0.2 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/aws_tools/11.0.3/zip
https://extensions.typo3.org/extension/download/aws_tools/12.0.2/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Michael Schams for reporting the vulnerability and to Leuchtfeuer Digital Marketing for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Vulnerability in bundled package in extension "AWS SDK for PHP" (aws_sdk_php)

Tue, 20 Jan 2026 08:31:00 +0100

Release Date: January 20, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "AWS SDK for PHP" (aws_sdk_php)Composer Package Name: Not availableVulnerability Type: Broken or Risky Cryptographic AlgorithmAffected Versions: 3.367.3 and belowSeverity: MediumSuggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences: CVE-2025-14761, CWE-1395, CWE-327

Problem Description

The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

Solution

An updated version 3.368.0 is available from the TYPO3 extension manager at

https://extensions.typo3.org/extension/download/aws_sdk_php/3.368.0/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Michael Schams for reporting the vulnerability and for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Insecure Deserialization in extension "Mailqueue" (mailqueue)

Tue, 20 Jan 2026 08:30:00 +0100

Release Date: January 20, 2026Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.Component: "Mailqueue" (mailqueue)Composer Package Name: cpsit/typo3-mailqueueVulnerability Type: Insecure DeserializationAffected Versions: 0.5.0, 0.4.2 and belowSeverity: MediumSuggested CVSS v4.0: AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:HReferences: CVE-2026-0895, CWE-502

Problem Description

The extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004. Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension.

More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004.

Solution

Updated versions 0.5.1 and 0.4.3 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/mailqueue/0.4.3/zip
https://extensions.typo3.org/extension/download/mailqueue/0.5.1/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to TYPO3 security team member Elias Häußler for reporting the vulnerability and for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

TYPO3 10.4.56 and 11.5.50 ELTS Released

Tue, 20 Jan 2026 08:30:00 +0100

Still sticking to an older version of TYPO3? Today, 10.4.56 and 11.5.50 have been released. Staying on top of maintenance updates should be a top priority - Gain peace of mind by opting for one of TYPO3 GmbH’s Extended Support offers!

TYPO3 13.4.24 and 12.4.42 maintenance releases published

Tue, 20 Jan 2026 08:30:00 +0100

The versions 13.4.24 and 12.4.42 of the TYPO3 Enterprise Content Management System have just been released.

AI Integration in TYPO3 Via MCP: The End of Backend Fumbling

Thu, 15 Jan 2026 16:34:18 +0100

Content management meets artificial intelligence — and takes a quantum leap. With the Model Context Protocol (MCP) extension for TYPO3, editors control their content directly from ChatGPT & Co. No more copy-paste, no more backend hopping. Simply write, edit, publish — all in one tool.

TYPO3 14.0.2, 13.4.23 and 12.4.41 security releases published

Tue, 13 Jan 2026 13:00:00 +0100

The versions 14.0.2, 13.4.23 and 12.4.41 of the TYPO3 Enterprise Content Management System have just been released.

TYPO3 10.4.55 and 11.5.49 ELTS Released

Tue, 13 Jan 2026 12:59:00 +0100

Still sticking to an older version of TYPO3? Today, 10.4.55 and 11.5.49 have been released. Staying on top of maintenance updates should be a top priority - Gain peace of mind by opting for one of TYPO3 GmbH’s Extended Support offers!

Insecure Deserialization via Mailer File Spool

Tue, 13 Jan 2026 12:04:00 +0100

Component Type: TYPO3 CMSSubcomponent: Mailer (ext:core)Release Date: January 13, 2026Vulnerability Type: Insecure DeserializationAffected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1Severity: MediumSuggested CVSS: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:HReferences: CVE-2026-0859, CWE-502

Problem Description

Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.

The vulnerability is triggered when TYPO3 is configured with $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'; and a scheduler task or cron job runs the command mailer:spool:send. The spool‑send operation performs the insecure deserialization that is at the core of this issue.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Broken Access Control in Recycler Module

Tue, 13 Jan 2026 12:03:00 +0100

Component Type: TYPO3 CMSSubcomponent: Recycler (ext:recycler)Release Date: January 13, 2026Vulnerability Type: Broken Access ControlAffected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1Severity: HighSuggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences: CVE-2025-59022, CWE-862

Problem Description

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Sven Jürgens and Daniel Windloff for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Broken Access Control in Redirects Module

Tue, 13 Jan 2026 12:02:00 +0100

Component Type: TYPO3 CMSSubcomponent: Redirects (ext:redirects)Release Date: January 13, 2026Vulnerability Type: Broken Access ControlAffected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1Severity: MediumSuggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:NReferences: CVE-2025-59021, CWE-862

Problem Description

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record - without restriction to the user’s own file‑mounts or web‑mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Georg Dümmler for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Broken Access Control in Edit Document Controller

Tue, 13 Jan 2026 12:01:00 +0100

Component Type: TYPO3 CMSSubcomponent: Edit Document Controller (ext:backend)Release Date: January 13, 2026Vulnerability Type: Broken Access ControlAffected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1Severity: MediumSuggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences: CVE-2025-59020, CWE-863

Problem Description

By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields.

Solution

Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

Credits

Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

Recognizing Open-Source Work as Volunteering in Germany

Thu, 08 Jan 2026 08:05:43 +0100

TYPO3 Association Board member Boris Hinzer outlines a new petition advocating for legal recognition of open-source work as volunteer service.

Coder's Corner: December 2025

Thu, 08 Jan 2026 07:44:00 +0100

See the full recap of TYPO3’s November core contributions with 47 contributors, 148 reviews, bug fixes, features, and a big thank-you to our developers.

Vote Now! Budget Ideas for Round 1/2026 Have Been Published

Wed, 07 Jan 2026 11:13:29 +0100

The call for community budget ideas for the first round of 2026 was successful: Six community and three team ideas have made it to the poll. These ideas can now be discussed and TYPO3 Association members can cast their vote.

This Month in TYPO3: December 2025

Tue, 06 Jan 2026 14:00:14 +0100

December closed out 2025 with solid releases and active community work. From security updates and tooling progress to conference highlights and upcoming events, this roundup captures where TYPO3 stands as it heads into 2026 — and introduces a new This Month in TYPO3 editor.