TYPO3 CMS FAL Media Module file download flaw (v1114)
CVE-2026-49742 Published on June 9, 2026
TYPO3 CMS - Broken Access Control in Media Module
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Weakness Types
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-49742 has been classified to as a Directory traversal vulnerability or weakness.
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-49742 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2026-49742
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
TYPO3 CMS:- Version 11.0.0 and below 11.5.51 is affected.
- Version 12.0.0 and below 12.4.46 is affected.
- Version 13.0.0 and below 13.4.31 is affected.
- Version 14.0.0 and below 14.3.3 is affected.