Cyber Resilience

CVE-2025-59022

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-59022 is a high-severity Missing Authorization (CWE-862) vulnerability in Typo3 Typo3. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-59022 is a missing authorization vulnerability (CWE-862) in TYPO3 CMS, published on 2026-01-13. It enables backend users with access to the recycler module to delete arbitrary data from any database table defined in the TCA, bypassing permissions for those tables. This can purge critical site data and render the website unavailable. The issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, and 14.0.0-14.0.1, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Attackers require low privileges, specifically backend access to the recycler module, to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation allows deletion of data across unauthorized database tables, leading to high-impact destruction of site content and denial of service by making the website unavailable.

The TYPO3 security advisory (TYPO3-CORE-SA-2026-003) details the issue and mitigation, with fixes available in GitHub commits including 336d6f165458a0ce32d8330999ab9ab6a5983d20, a6604db66499710f72ae6e7006beb14ad0913aae, and efb9528f9882ac924c40598ebd8508479e9950a3. Security practitioners should apply these patches or upgrade to unaffected versions immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical…

more

site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authorization in recycler module directly enables unauthorized deletion of arbitrary database tables (stored data manipulation) resulting in data destruction and site unavailability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55924Same product: Typo3 Typo3
CVE-2026-0859Same product: Typo3 Typo3
CVE-2024-55921Same product: Typo3 Typo3
CVE-2024-11816Same product class: CMS core
CVE-2026-23898Same product class: CMS core
CVE-2025-24406Same product class: CMS core
CVE-2025-24415Same product class: CMS core
CVE-2025-24413Same product class: CMS core
CVE-2026-44554Shared CWE-862
CVE-2025-24409Same product class: CMS core

Affected Assets

typo3
typo3
10.0.0 — 10.4.55 · 11.0.0 — 11.5.49 · 12.0.0 — 12.4.41

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of access control policies that directly prevent unauthorized deletions from database tables by backend users in the recycler module.

prevent

AC-6 least privilege restricts recycler module access to only necessary permissions, blocking deletions from unauthorized TCA-defined tables.

prevent

SI-2 flaw remediation requires applying TYPO3 patches that fix the missing authorization in the recycler module.

References