CVE-2025-59020
5.30.04%
CVE-2025-59020: The 'Trust Me Bro' Vulnerability in TYPO3 CMS
Amit Schendel
Senior Security ResearcherJan 14, 2026·7 min read·2 visits
PoC Available
Executive Summary (TL;DR)
TYPO3's EditDocumentController blindly trusted user-supplied default values (`defVals`) as internal system state. By injecting data into this parameter, low-privilege attackers can bypass the DataHandler's permission checks and modify restricted database fields (like system flags or access controls) during record creation.
A logic flaw in TYPO3's backend controller allows authenticated editors to bypass field-level permissions by disguising malicious input as 'system default values', effectively modifying data they are strictly forbidden from touching.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
5.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NEPSS Probability
0.04%
Top 89% most exploited
Affected Systems
TYPO3 CMS 10.0.0 - 10.4.54TYPO3 CMS 11.0.0 - 11.5.48TYPO3 CMS 12.0.0 - 12.4.40TYPO3 CMS 13.0.0 - 13.4.22TYPO3 CMS 14.0.0 - 14.0.1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
TYPO3 CMS TYPO3 | >= 10.0.0, <= 10.4.54 | 10.4.55 |
TYPO3 CMS TYPO3 | >= 11.0.0, <= 11.5.48 | 11.5.49 |
TYPO3 CMS TYPO3 | >= 12.0.0, <= 12.4.40 | 12.4.41 |
TYPO3 CMS TYPO3 | >= 13.0.0, <= 13.4.22 | 13.4.23 |
TYPO3 CMS TYPO3 | >= 14.0.0, <= 14.0.1 | 14.0.2 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Authenticated) |
| CVSS v4.0 | 5.3 (Medium) |
| CWE | CWE-862 (Missing Authorization) |
| Impact | Integrity Modification / ACL Bypass |
| EPSS Score | 0.00039 |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
CWE-862
Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Disclosed
2026-01-13
Patch Released
2026-01-13
CVE Assigned
2026-01-13