CVE-2025-59020
Unknown Unknown - Not Provided
Field-Level Access Bypass in TYPO3 CMS via defVals Parameter

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: TYPO3

Description
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59020
EUVD
EUVD-2026-2090
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms to 10.4.54 (inc)
typo3 typo3_cms to 11.5.48 (inc)
typo3 typo3_cms to 12.4.40 (inc)
typo3 typo3_cms to 13.4.22 (inc)
typo3 typo3_cms to 14.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in TYPO3 CMS involves the 'defVals' parameter used during new content creation. Attackers could exploit 'defVals' to bypass field-level access controls, allowing them to insert arbitrary data into database fields that should be restricted. This happens because 'defVals' historically bypassed permission checks enforced by the FormEngine and DataHandler components, enabling unauthorized default values to be set on new records. The security fix ensures that 'defVals' are now processed through the DataHandler's permission checks, preventing unauthorized data injection. [1, 2, 4]

Impact Analysis

This vulnerability can allow an attacker with limited write permissions to insert or modify data in database fields that are normally excluded or restricted. This means unauthorized data manipulation can occur during record creation in the TYPO3 backend, potentially compromising data integrity and security within the CMS. [1, 3]

Mitigation Strategies

To mitigate CVE-2025-59020, immediately update your TYPO3 CMS installation to one of the fixed versions: 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2. These updates include patches that enforce permission checks on the defVals parameter during record creation, preventing unauthorized data injection. Additionally, review backend user permissions and restrict access to sensitive fields to minimize risk until the update is applied. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart