|
2231
|
- |
|
-
|
-
|
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content…
|
CWE-79
CWE-436
Cross-site Scripting
Interpretation Conflict
|
CVE-2026-47344
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2232
|
- |
|
-
|
-
|
Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
|
CWE-79
Cross-site Scripting
|
CVE-2026-47345
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2233
|
- |
|
-
|
-
|
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously cra…
|
CWE-862
Missing Authorization
|
CVE-2026-11607
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2234
|
- |
|
-
|
-
|
Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization …
|
CWE-862
Missing Authorization
|
CVE-2026-47343
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2235
|
- |
|
-
|
-
|
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafte…
|
CWE-178
CWE-862
Improper Handling of Case Sensitivity
Missing Authorization
|
CVE-2026-47346
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2236
|
- |
|
-
|
-
|
Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. …
|
CWE-601
Open Redirect
|
CVE-2026-47347
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2237
|
- |
|
-
|
-
|
Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search resul…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47348
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2238
|
- |
|
-
|
-
|
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4…
|
CWE-862
Missing Authorization
|
CVE-2026-47349
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2239
|
- |
|
-
|
-
|
Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.
|
CWE-862
Missing Authorization
|
CVE-2026-47350
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2240
|
- |
|
-
|
-
|
Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they we…
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-47351
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
