CVE-2026-47347 PUBLISHED

TYPO3 CMS - Open Redirect in Core Utilities

Assigner: TYPO3
Reserved: 19.05.2026 Published: 09.06.2026 Updated: 09.06.2026

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
CVSS Score: 5.3

Product Status

Vendor TYPO3
Product TYPO3 CMS
Versions Default: unaffected
  • affected from 0 to 10.4.57 (excl.)
  • affected from 11.0.0 to 11.5.51 (excl.)
  • affected from 12.0.0 to 12.4.46 (excl.)
  • affected from 13.0.0 to 13.4.31 (excl.)
  • affected from 14.0.0 to 14.3.3 (excl.)

Credits

  • Alexandre Romao reporter
  • Benjamin Franzke remediation developer

References

Problem Types

  • CWE-601 URL Redirection to Untrusted Site ('Open Redirect') CWE