{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-47351","assignerOrgId":"f4fb688c-4412-4426-b4b8-421ecf27b14a","state":"PUBLISHED","assignerShortName":"TYPO3","dateReserved":"2026-05-19T12:49:25.966Z","datePublished":"2026-06-09T10:52:38.150Z","dateUpdated":"2026-06-11T13:26:46.003Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f4fb688c-4412-4426-b4b8-421ecf27b14a","shortName":"TYPO3","dateUpdated":"2026-06-11T13:26:46.003Z"},"title":"TYPO3 CMS - Broken Access Control in Clipboard","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-862","description":"CWE-862 Missing Authorization","type":"CWE"},{"lang":"en","cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]}],"affected":[{"vendor":"TYPO3","product":"TYPO3 CMS","collectionURL":"https://packagist.org","packageName":"typo3/cms-backend","repo":"https://github.com/TYPO3/typo3","modules":["Backend"],"versions":[{"status":"affected","version":"10.4.0","lessThan":"13.4.31","versionType":"semver"},{"status":"affected","version":"14.0.0","lessThan":"14.3.3","versionType":"semver"}],"defaultStatus":"unaffected"}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*","versionStartIncluding":"10.4.0","versionEndExcluding":"13.4.31","vulnerable":true},{"criteria":"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.3.3","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"descriptions":[{"lang":"en","value":"Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.","supportingMedia":[{"type":"text/html","base64":false,"value":"Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2."}]}],"references":[{"url":"https://typo3.org/security/advisory/typo3-core-sa-2026-014","tags":["vendor-advisory"]},{"url":"https://github.com/TYPO3/typo3/commit/932fbb9fcea25094e8bcc0f0ec5aab56b1d92451","name":"Git commit of main branch","tags":["patch"]},{"url":"https://github.com/TYPO3/typo3/commit/2740707563343d78184c0b7c6303a7484553d7f3","name":"Git commit of 13.4 branch","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}],"credits":[{"lang":"en","value":"Vincent Yang","type":"reporter"},{"lang":"en","value":"Elias Häußler","type":"remediation developer"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-09T13:47:51.207926Z","id":"CVE-2026-47351","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-09T13:50:05.766Z"}}]}}