TYPO3 CMS Workspace Auth Bypass via AJAX (v9–13)
CVE-2025-59018 Published on September 9, 2025
Information Disclosure in Workspaces Module
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.09.5.54, 10.0.010.4.53, 11.0.011.5.47, 12.0.012.4.36, and 13.0.013.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-59018 has been classified to as an Information Disclosure vulnerability or weakness.
Affected Versions
TYPO3 CMS:- Version 9.0.0 and below 9.5.55 is affected.
- Version 10.0.0 and below 10.4.54 is affected.
- Version 11.0.0 and below 11.5.48 is affected.
- Version 12.0.0 and below 12.4.37 is affected.
- Version 13.0.0 and below 13.4.18 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.