CVE-2025-59022

High

Published: 13 January 2026

Published

13 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0002 4.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59022 is a high-severity Missing Authorization (CWE-862) vulnerability in Typo3 Typo3. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of access control policies that directly prevent unauthorized deletions from database tables by backend users in the recycler module.

AC-6 Least Privilege good match

prevent

AC-6 least privilege restricts recycler module access to only necessary permissions, blocking deletions from unauthorized TCA-defined tables.

SI-2 Flaw Remediation good match

prevent

SI-2 flaw remediation requires applying TYPO3 patches that fix the missing authorization in the recycler module.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Missing authorization in recycler module directly enables unauthorized deletion of arbitrary database tables (stored data manipulation) resulting in data destruction and site unavailability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical…

site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Deeper analysisAI

CVE-2025-59022 is a missing authorization vulnerability (CWE-862) in TYPO3 CMS, published on 2026-01-13. It enables backend users with access to the recycler module to delete arbitrary data from any database table defined in the TCA, bypassing permissions for those tables. This can purge critical site data and render the website unavailable. The issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, and 14.0.0-14.0.1, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Attackers require low privileges, specifically backend access to the recycler module, to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation allows deletion of data across unauthorized database tables, leading to high-impact destruction of site content and denial of service by making the website unavailable.

The TYPO3 security advisory (TYPO3-CORE-SA-2026-003) details the issue and mitigation, with fixes available in GitHub commits including 336d6f165458a0ce32d8330999ab9ab6a5983d20, a6604db66499710f72ae6e7006beb14ad0913aae, and efb9528f9882ac924c40598ebd8508479e9950a3. Security practitioners should apply these patches or upgrade to unaffected versions immediately.

Details

CWE(s): CWE-862

Affected Products

typo3

10.0.0 — 10.4.55 · 11.0.0 — 11.5.49 · 12.0.0 — 12.4.41

CVEs Like This One

CVE-2024-55924Same product: Typo3 Typo3

CVE-2024-55921Same product: Typo3 Typo3

CVE-2026-0859Same product: Typo3 Typo3

CVE-2024-11816Same product class: CMS core

CVE-2026-23898Same product class: CMS core

CVE-2024-40748Same product class: CMS core

CVE-2026-29070Shared CWE-862

CVE-2026-40488Same product class: CMS core

CVE-2026-26103Shared CWE-862

CVE-2025-24416Same product class: CMS core

References

https://github.com/TYPO3/typo3/commit/336d6f165458a0ce32d8330999ab9ab6a5983d20
Patch · f4fb688c-4412-4426-b4b8-421ecf27b14a
https://github.com/TYPO3/typo3/commit/a6604db66499710f72ae6e7006beb14ad0913aae
Patch · f4fb688c-4412-4426-b4b8-421ecf27b14a
https://github.com/TYPO3/typo3/commit/efb9528f9882ac924c40598ebd8508479e9950a3
Patch · f4fb688c-4412-4426-b4b8-421ecf27b14a
https://typo3.org/security/advisory/typo3-core-sa-2026-003
Vendor Advisory · f4fb688c-4412-4426-b4b8-421ecf27b14a