What is GHSA-qcmw-6rm2-5x78?

GHSA-qcmw-6rm2-5x78 is a security advisory published by GitHub Security Advisories with Medium severity. TYPO3 CMS has Broken Access Control in its DataHandler

Which CVE IDs does GHSA-qcmw-6rm2-5x78 cover?

GHSA-qcmw-6rm2-5x78 covers the following CVE IDs: CVE-2026-47350. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-qcmw-6rm2-5x78?

GHSA-qcmw-6rm2-5x78 affects 2 products, including: composer/typo3/cms-core:\u003e= 13.0.0, \u003c 13.4.31; composer/typo3/cms-core:\u003e= 14.0.0, \u003c 14.3.3.

GHSA-qcmw-6rm2-5x78Medium

TYPO3 CMS has Broken Access Control in its DataHandler

Vendor

GitHub Security Advisories

Published

June 12, 2026

Last Modified

June 12, 2026

🔗 CVE IDs covered (1)

CVE-2026-47350 →

📋 Description

Problem

Backend users were able to move records to a different page without having edit permissions on the source page.

Solution

Update to TYPO3 versions 13.4.31 LTS, 14.3.3 LTS that fix the problem described.

Credits

TYPO3 CMS thanks Hyunseo Shin for reporting this issue, and TYPO3 security team member Torben Hansen for fixing it.

Resources

TYPO3-CORE-SA-2026-012

🎯 Affected products2

composer/typo3/cms-core:>= 13.0.0, < 13.4.31
composer/typo3/cms-core:>= 14.0.0, < 14.3.3

🔗 References (7)

https://github.com/TYPO3/typo3/security/advisories/GHSA-qcmw-6rm2-5x78
https://nvd.nist.gov/vuln/detail/CVE-2026-47350
https://github.com/TYPO3/typo3/commit/195356996a60e40aeb2cd3e45a5f5c8940d5e116
https://github.com/TYPO3/typo3/commit/c9898d2e67608eda78f8bd1f06ee9cf05a872a56
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47350.yaml
https://typo3.org/security/advisory/typo3-core-sa-2026-012
https://github.com/advisories/GHSA-qcmw-6rm2-5x78