CVE-2026-49738: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in TYPO3 TYPO3 CMS
A path traversal vulnerability (CWE-22) exists in TYPO3 CMS due to an improper pathname limitation check in GeneralUtility::isAllowedAbsPath(). This flaw allows administrator users with File Abstraction Layer access to create file storage definitions pointing outside the project root, bypassing intended path restrictions. The vulnerability affects multiple TYPO3 CMS versions prior to specific patched releases. The CVSS score is low, indicating limited impact under the conditions described.
AI Analysis
Technical Summary
TYPO3 CMS contains a path traversal vulnerability caused by the GeneralUtility::isAllowedAbsPath() function performing a plain string prefix comparison without enforcing a directory separator boundary. This allows paths such as /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root is /var/www/html. Administrator users with access to the File Abstraction Layer can exploit this to create file storage definitions that point outside the intended project root directory, effectively bypassing the path check. The issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3.
Potential Impact
An attacker with administrator privileges and access to the File Abstraction Layer can bypass path restrictions to define file storage locations outside the project root. This may lead to unauthorized access or manipulation of files outside the intended directory scope. The CVSS score of 2.1 (low) reflects that exploitation requires high privileges and the impact is limited to confidentiality and integrity with low scope and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrator access to the File Abstraction Layer to trusted users only and monitor for any unauthorized file storage definitions pointing outside the project root.
CVE-2026-49738: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in TYPO3 TYPO3 CMS
Description
A path traversal vulnerability (CWE-22) exists in TYPO3 CMS due to an improper pathname limitation check in GeneralUtility::isAllowedAbsPath(). This flaw allows administrator users with File Abstraction Layer access to create file storage definitions pointing outside the project root, bypassing intended path restrictions. The vulnerability affects multiple TYPO3 CMS versions prior to specific patched releases. The CVSS score is low, indicating limited impact under the conditions described.
CVSS v4.0
Score 2.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
TYPO3 CMS contains a path traversal vulnerability caused by the GeneralUtility::isAllowedAbsPath() function performing a plain string prefix comparison without enforcing a directory separator boundary. This allows paths such as /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root is /var/www/html. Administrator users with access to the File Abstraction Layer can exploit this to create file storage definitions that point outside the intended project root directory, effectively bypassing the path check. The issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3.
Potential Impact
An attacker with administrator privileges and access to the File Abstraction Layer can bypass path restrictions to define file storage locations outside the project root. This may lead to unauthorized access or manipulation of files outside the intended directory scope. The CVSS score of 2.1 (low) reflects that exploitation requires high privileges and the impact is limited to confidentiality and integrity with low scope and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrator access to the File Abstraction Layer to trusted users only and monitor for any unauthorized file storage definitions pointing outside the project root.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TYPO3
- Date Reserved
- 2026-06-01T10:52:50.597Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a27f83d8dd33fbd8526d80a
Added to database: 6/9/2026, 11:25:49 AM
Last enriched: 6/9/2026, 11:41:21 AM
Last updated: 6/9/2026, 1:30:23 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.