TYPO3 CMS Open Redirect via GeneralUtility::sanitizeLocalUrl (v<10.4.57)
CVE-2026-47347 Published on June 9, 2026
TYPO3 CMS - Open Redirect in Core Utilities
Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Weakness Type
What is an Open Redirect Vulnerability?
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
CVE-2026-47347 has been classified to as an Open Redirect vulnerability or weakness.
Products Associated with CVE-2026-47347
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
TYPO3 CMS:- Before 10.4.57 is affected.
- Version 11.0.0 and below 11.5.51 is affected.
- Version 12.0.0 and below 12.4.46 is affected.
- Version 13.0.0 and below 13.4.31 is affected.
- Version 14.0.0 and below 14.3.3 is affected.