{"id":"CVE-2025-47940","summary":"TYPO3 CMS Vulnerable to Privilege Escalation to System Maintainer","details":"TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.","aliases":["GHSA-6frx-j292-c844"],"modified":"2026-04-10T05:27:52.964972Z","published":"2025-05-20T14:06:07.374Z","database_specific":{"cwe_ids":["CWE-283"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47940.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47940.json"},{"type":"ADVISORY","url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-6frx-j292-c844"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47940"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2025-016"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"1f80000d7c594d2333efd2bef2f842338a0115a6"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"fixed":"12.4.31"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"812e327a74813bdb07d19cde3076d3d41b8ca4cf"}],"database_specific":{"versions":[{"introduced":"13.0.0"},{"fixed":"13.4.12"}]}}],"versions":["v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.15","v12.4.16","v12.4.17","v12.4.18","v12.4.19","v12.4.2","v12.4.20","v12.4.21","v12.4.22","v12.4.23","v12.4.24","v12.4.25","v12.4.26","v12.4.27","v12.4.28","v12.4.29","v12.4.3","v12.4.30","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0","v13.2.0","v13.2.1","v13.3.0","v13.4.0","v13.4.1","v13.4.10","v13.4.11","v13.4.2","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47940.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3.cms","events":[{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"1f80000d7c594d2333efd2bef2f842338a0115a6"},{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"fixed":"812e327a74813bdb07d19cde3076d3d41b8ca4cf"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"fixed":"12.4.31"},{"introduced":"13.0.0"},{"fixed":"13.4.12"}]}}],"versions":["v12.0.0","v12.1.0","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.15","v12.4.16","v12.4.17","v12.4.18","v12.4.19","v12.4.2","v12.4.20","v12.4.21","v12.4.22","v12.4.23","v12.4.24","v12.4.25","v12.4.26","v12.4.27","v12.4.28","v12.4.29","v12.4.3","v12.4.30","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.1.0","v13.2.0","v13.2.1","v13.3.0","v13.4.0","v13.4.1","v13.4.10","v13.4.11","v13.4.2","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47940.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}