{"id":"CVE-2026-47349","summary":"TYPO3 CMS - Broken Access Control in Recycler","details":"Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.","aliases":["GHSA-f34x-rx2w-7pm3"],"modified":"2026-07-17T03:41:54.420225625Z","published":"2026-06-09T10:51:50.281Z","database_specific":{"cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47349.json","unresolved_ranges":[{"extracted_events":[{"fixed":"10.4.57"},{"introduced":"11.0.0"},{"fixed":"11.5.51"},{"introduced":"12.0.0"},{"fixed":"12.4.46"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"TYPO3"},"references":[{"type":"WEB","url":"https://packagist.org"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47349.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47349"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2026-011"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a"},{"type":"PACKAGE","url":"https://github.com/TYPO3/typo3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"fd8745e46bb11773e85524b8ee9650dabe340713"},{"introduced":"6d6bd23afff6a48ee3efeaa68eb829820397d6a1"},{"fixed":"59bfeaaf0136dfe17011786ce825884e48bedc8d"},{"fixed":"e16ec78165a7d60f09dcac04bfbb309409e174b3"},{"fixed":"92f08d8944f1aeccf506fcd323c260448c64d7c8"},{"fixed":"9f17a307cf774d63ab8291fc97c6b55653b4265a"}],"database_specific":{"extracted_events":[{"introduced":"13.0.0"},{"fixed":"13.4.31"},{"introduced":"14.0.0"},{"fixed":"14.3.3"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v14.3.2","v13.4.30","v14.3.1","v13.4.29","v14.3.0","v13.4.28","v14.2.0","v13.4.27","v13.4.26","v14.1.0","v13.4.25","v13.4.24","v13.4.23","v13.4.22","v13.4.21","v14.0.0","v13.4.20","v13.4.19","v13.4.18","v13.4.17","v13.4.16","v13.4.15","v13.4.14","v13.4.13","v13.4.12","v13.4.11","v13.4.10","v13.4.9","v13.4.8","v13.4.7","v13.4.6","v13.4.5","v13.4.4","v13.4.3","v13.4.2","v13.4.1","v13.4.0","v13.3.0","v13.2.1","v13.2.0","v13.1.0","v13.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47349.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}