Fieldlevel access bypass in TYPO3 CMS 10-14 via defVals param
CVE-2025-59020 Published on January 13, 2026

TYPO3 CMS Allows Broken Access Control in Edit Document Controller
By exploiting the defVals parameter, attackers could bypass fieldlevel access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Github Repository Vendor Advisory NVD

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2025-59020 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2025-59020

Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.

TYPO3
 

Affected Versions

TYPO3 CMS:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-59020

Package Manager Vulnerable Package Versions Fixed In
composer typo3/cms-backend >= 14.0.0, <= 14.0.1 14.0.2
composer typo3/cms-backend >= 13.0.0, <= 13.4.22 13.4.23
composer typo3/cms-backend >= 12.0.0, <= 12.4.40 12.4.41
composer typo3/cms-backend >= 11.0.0, <= 11.5.48 11.5.49
composer typo3/cms-backend >= 10.0.0, <= 10.4.54 10.4.55

Exploit Probability

EPSS
0.01%
Percentile
1.29%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.