Official typo3.org security advisories https://typo3.org/security en-gb TYPO3 News Sat, 23 May 2026 18:48:21 +0200 Sat, 23 May 2026 18:48:21 +0200 TYPO3 EXT:news news-2929 Tue, 19 May 2026 11:06:00 +0200 TYPO3-EXT-SA-2026-013: Remote Code Execution in extension "Content Element Selector" (ceselector) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-013 It has been discovered that the extension "Content Element Selector" (ceselector) is vulnerable to Remote Code Execution.
  • Release Date: May 19, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Content Element Selector" (ceselector)
  • Composer Package Name: mmc/ceselector
  • Vulnerability Type: Insecure Deserialization
  • Affected Versions: 6.0.0, 5.0.0, 4.0.0 - 4.0.1, 3.0.2 and below
  • Severity: Critical
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • References: CVE-2026-46725, CWE-502

    • Problem Description

    The extension fails  to safely process untrusted client input of an attacker-controlled cookie directly to PHP's unserialize(). A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server.

    Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

    Solution

    Updated versions 6.0.1, 5.0.1, 4.0.2 and 3.0.3 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/ceselector/6.0.1/zip
    https://extensions.typo3.org/extension/download/ceselector/5.0.1/zip
    https://extensions.typo3.org/extension/download/ceselector/4.0.2/zip
    https://extensions.typo3.org/extension/download/ceselector/3.0.3/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to TYPO3 Security Team member Torben Hansen for reporting the vulnerability and to Matthias Mächler for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2928 Tue, 19 May 2026 11:05:00 +0200 TYPO3-EXT-SA-2026-012: SQL Injection in extension "Address List" (tt_address) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-012 It has been discovered that the extension "Address List" (tt_address) is vulnerable to SQL Injection.
  • Release Date: May 19, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Address List" (tt_address)
  • Composer Package Name: friendsoftypo3/tt-address
  • Vulnerability Type: SQL Injection
  • Affected Versions: 10.0.0, 9.0.0 - 9.1.0, 8.1.1 and below
  • Severity: Medium (rated lower than the CVSS score, as the vulnerable method is not invoked by the extension itself)
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2026-8827, CWE-89

    • Problem Description

    The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input leading to SQL Injection.

    The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection

    Solution

    Updated versions 10.0.1, 9.1.1 and 8.1.2 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/tt_address/10.0.1/zip
    https://extensions.typo3.org/extension/download/tt_address/9.1.1/zip
    https://extensions.typo3.org/extension/download/tt_address/8.1.2/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to TYPO3 Core and Security Team member Georg Ringer for reporting the vulnerability and for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2927 Tue, 19 May 2026 11:03:00 +0200 TYPO3-EXT-SA-2026-011: Multiple vulnerabilities in extension "Faceted Search" (ke_search) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-011 It has been discovered that the extension "Faceted Search" (ke_search) is vulnerable to XML External Entity injection, Path Traversal and Information Disclosure.
  • Release Date: May 19, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Faceted Search" (ke_search)
  • Composer Package Name: tpwd/ke_search
  • Vulnerability Type: XML External Entity injection, Path Traversal and Information Disclosure
  • Affected Versions: 7.0.0, 6.0.0 - 6.6.0, 5.6.1 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
  • References: CVE-2026-46722, CVE-2026-46723, CVE-2026-46724, CWE-611, CWE-668, CWE-22

    • Problem Description

    The OOXML parsing of the file indexer does not disable external entity resolution, making it susceptible to XML External Entity Injection. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

    Additionally, the additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names, allowing a backend user with permission to edit indexer configurations to copy sensitive data from internal TYPO3 tables into the search index. Similarly, the file indexer does not normalize the configured directories path, allowing such a user to index documents from arbitrary locations on the server file system through path traversal sequences.

    Solution

    Updated versions 7.0.1, 6.6.1 and 5.6.2 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/ke_search/7.0.1/zip
    https://extensions.typo3.org/extension/download/ke_search/6.6.1/zip
    https://extensions.typo3.org/extension/download/ke_search/5.6.2/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Seungbin Yang for reporting the vulnerabilities and to Christian Bülter for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2926 Tue, 19 May 2026 11:02:00 +0200 TYPO3-EXT-SA-2026-010: SQL Injection in extension "News system" (news) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-010 It has been discovered that the extension "News system" (news) is vulnerable to SQL Injection.
  • Release Date: May 19, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "News system" (news)
  • Composer Package Name: georgringer/news
  • Vulnerability Type: SQL Injection
  • Affected Versions: 14.0.0 - 14.0.2, 13.0.0 - 13.0.1, 12.0.0 - 12.3.1, 11.4.3 and below
  • Severity: High
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2026-8726, CWE-89

    • Problem Description

    The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin.

    Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

    Solution

    Updated versions 14.0.3, 13.0.2, 12.3.2 and 11.4.4 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/news/14.0.3/zip
    https://extensions.typo3.org/extension/download/news/13.0.2/zip
    https://extensions.typo3.org/extension/download/news/12.3.2/zip
    https://extensions.typo3.org/extension/download/news/11.4.4/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to TYPO3 Core Team member Christian Kuhn for reporting the vulnerability and to TYPO3 Core and Security Team member Georg Ringer for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2925 Tue, 19 May 2026 11:01:00 +0200 TYPO3-EXT-SA-2026-009: Broken Access Control in extension "Frontend User Registration" (sf_register) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-009 It has been discovered that the extension "Frontend User Registration" (sf_register) is vulnerable to Broken Access Control.
  • Release Date: May 19, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Frontend User Registration" (sf_register)
  • Composer Package Name: evoweb/sf-register
  • Vulnerability Type: Broken Access Control
  • Affected Versions: 14.0.0 - 14.0.1, 13.2.3 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2026-46721, CWE-915, CWE-639

    • Problem Description

    The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

    Solution

    Updated versions 14.0.2 and 13.2.4 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/sf_register/14.0.2/zip
    https://extensions.typo3.org/extension/download/sf_register/13.2.4/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Seungbin Yang for reporting the vulnerability and to Sebastian Fischer for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2924 Tue, 19 May 2026 11:00:00 +0200 TYPO3-EXT-SA-2026-008: Remote Code Execution in extension "Site Crawler" (crawler) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-008 It has been discovered that the extension "Site Crawler" (crawler) is vulnerable to Remote Code Execution.
  • Release Date: May 19, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Site Crawler" (crawler)
  • Composer Package Name: tomasnorre/crawler
  • Vulnerability Type: Insecure Deserialization
  • Affected Versions: 12.0.0 - 12.0.10, 11.0.12 and below
  • Severity: High
  • Suggested CVSS v4.0: AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
  • References: CVE-2026-8727, CWE-502

    • Problem Description

    The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server.

    Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task, but can be abused by non-super-admin administrators to escalate privileges.

    Solution

    Updated versions 12.0.11 and 11.0.13 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/crawler/12.0.11/zip
    https://extensions.typo3.org/extension/download/crawler/11.0.13/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Roman Hergenreder for reporting the vulnerability and to Tomas Norre Mikkelsen for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2923 Tue, 21 Apr 2026 11:05:00 +0200 TYPO3-CORE-SA-2026-005: Cleartext storage of Backend User Passwords Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2026-005 It has been discovered that TYPO3 CMS is susceptible to sensitive data exposure.

    Problem Description

    The backend user settings module (SetupModuleController) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the uc and user_settings fields of the be_users database table.

    The cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version).

    Solution

    Update to TYPO3 version 14.3.0 LTS that fixes the problem described.

    Manual actions required

    Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the uc and user_settings fields of the be_users table. Additionally, affected backend user accounts should be assigned new passwords.

    Admin Tools → Upgrade → Upgrade Wizard → User Settings Scrubbing

    Credits

    Thanks to Martin Clewing for reporting this issue, and to TYPO3 core team members Oliver Hader, Stefan Bürk and Garvin Hicking for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2922 Tue, 17 Mar 2026 10:02:00 +0100 TYPO3-EXT-SA-2026-007: Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-007 It has been discovered that the extension "E-Mail MFA Provider" (mfa_email) is vulnerable to Authentication Bypass.
  • Release Date: March 17, 2026
  • Updated: March 22, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "E-Mail MFA Provider" (mfa_email)
  • Composer Package Name: ralffreit/mfa-email
  • Vulnerability Type: Authentication Bypass
  • Affected Versions: 2.0.0, 1.0.5 and below
  • Severity: High
  • Suggested CVSS v4.0: AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • References: CVE-2026-4208, CWE-288

    • Problem Description

    The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

    The vulnerability is only exploitable, when the “E-Mail MFA Provider” is not the default MFA provider and when at least one other MFA provider is available to the user.

    Solution

    Updated versions 2.0.1 and 1.0.7 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/mfa_email/2.0.1/zip
    https://extensions.typo3.org/extension/download/mfa_email/1.0.7/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Jan Holtkötter for reporting the vulnerability and to Ralf Freit for providing an updated version of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2921 Tue, 17 Mar 2026 10:01:00 +0100 TYPO3-EXT-SA-2026-006: Broken Access Control in extension "Redirect Tab" (redirect_tab) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-006 It has been discovered that the extension "Redirect Tab" (redirect_tab) is vulnerable to Broken Access Control.
  • Release Date: March 17, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Redirect Tab" (redirect_tab)
  • Composer Package Name: ayacoo/redirect-tab
  • Vulnerability Type: Broken Access Control
  • Affected Versions: 4.0.0 - 4.0.4, 3.0.0 - 3.1.6, 2.1.1 and below
  • Severity: Low
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2026-4202, CWE-862, CWE-200

    • Problem Description

    The extension fails to verify, if an authenticated user has permissions to access redirects resulting in exposure of redirect records when editing a page.

    Solution

    Updated versions 4.0.5, 3.1.7 and 2.1.2 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/redirect_tab/4.0.5/zip
    https://extensions.typo3.org/extension/download/redirect_tab/3.1.7/zip
    https://extensions.typo3.org/extension/download/redirect_tab/2.1.2/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Guido Schmechel for reporting the vulnerability and for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2920 Tue, 17 Mar 2026 10:00:00 +0100 TYPO3-EXT-SA-2026-005: Insecure Deserialization in extension "Mailqueue" (mailqueue) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-005 It has been discovered that the extension "Mailqueue" (mailqueue) is vulnerable to insecure deserialization.
  • Release Date: March 17, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Mailqueue" (mailqueue)
  • Composer Package Name: cpsit/typo3-mailqueue
  • Vulnerability Type: Insecure Deserialization
  • Affected Versions: 0.5.0 - 0.5.1, 0.4.4 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
  • References: CVE-2026-1323, CWE-502

    • Problem Description

    The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

    Solution

    Updated versions 0.5.2 and 0.4.5 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/mailqueue/0.4.5/zip
    https://extensions.typo3.org/extension/download/mailqueue/0.5.2/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to TYPO3 security team member Elias Häußler for reporting the vulnerability and for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2919 Tue, 20 Jan 2026 08:33:00 +0100 TYPO3-EXT-SA-2026-004: Vulnerability in bundled package in extension "Amazon AWS SDK" (aws) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-004 It has been discovered that the extension "Amazon AWS SDK" (aws) bundles a vulnerable version of “aws/aws-sdk-php“ which is susceptible to use of a Broken or Risky Cryptographic Algorithm.
  • Release Date: January 20, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Amazon AWS SDK" (aws)
  • Composer Package Name: Not available
  • Vulnerability Type: Broken or Risky Cryptographic Algorithm
  • Affected Versions: 3.161.2 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2025-14761, CWE-1395, CWE-327

    • Problem Description

    The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

    Solution

    All versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository, because the extension is outdated and unmaintained.

    Please uninstall and delete the extension folder from your installation and search on the TYPO3 Extension Repository for alternative extensions.

    Credits

    Thanks to Michael Schams  for reporting the vulnerability.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2918 Tue, 20 Jan 2026 08:32:00 +0100 TYPO3-EXT-SA-2026-003: Vulnerability in bundled package in extension "Amazon Web Services (AWS) Toolbox" (aws_tools) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-003 It has been discovered that the extension "Amazon Web Services (AWS) Toolbox" (aws_tools) bundles a vulnerable version of “aws/aws-sdk-php“ which is susceptible to use of a Broken or Risky Cryptographic Algorithm.
  • Release Date: January 20, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Amazon Web Services (AWS) Toolbox" (aws_tools)
  • Composer Package Name: leuchtfeuer/aws-tools
  • Vulnerability Type: Broken or Risky Cryptographic Algorithm
  • Affected Versions: 12.0.0 - 12.0.1, 11.0.3 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N 
  • References: CVE-2025-14761, CWE-1395, CWE-327

    • Problem Description

    The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

    Solution

    Updated versions 11.0.4 and 12.0.2 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/aws_tools/11.0.3/zip
    https://extensions.typo3.org/extension/download/aws_tools/12.0.2/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Michael Schams  for reporting the vulnerability and to Leuchtfeuer Digital Marketing for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2917 Tue, 20 Jan 2026 08:31:00 +0100 TYPO3-EXT-SA-2026-002: Vulnerability in bundled package in extension "AWS SDK for PHP" (aws_sdk_php) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-002 It has been discovered that the extension "AWS SDK for PHP" (aws_sdk_php) bundles a vulnerable version of “aws/aws-sdk-php“ which is susceptible to use of a Broken or Risky Cryptographic Algorithm.
  • Release Date: January 20, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "AWS SDK for PHP" (aws_sdk_php)
  • Composer Package Name: Not available
  • Vulnerability Type: Broken or Risky Cryptographic Algorithm
  • Affected Versions: 3.367.3 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2025-14761, CWE-1395, CWE-327

    • Problem Description

    The extension bundles the PHP package “aws/aws-sdk-php”, which contains a known Broken or Risky Cryptographic Algorithm vulnerability.

    Solution

    An updated version 3.368.0 is available from the TYPO3 extension manager at

    https://extensions.typo3.org/extension/download/aws_sdk_php/3.368.0/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Michael Schams  for reporting the vulnerability and for providing an updated version of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2916 Tue, 20 Jan 2026 08:30:00 +0100 TYPO3-EXT-SA-2026-001: Insecure Deserialization in extension "Mailqueue" (mailqueue) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2026-001 It has been discovered that the extension "Mailqueue" (mailqueue) is vulnerable to insecure deserialization.
  • Release Date: January 20, 2026
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Mailqueue" (mailqueue)
  • Composer Package Name: cpsit/typo3-mailqueue
  • Vulnerability Type: Insecure Deserialization
  • Affected Versions: 0.5.0, 0.4.2 and below
  • Severity: Medium
  • Suggested CVSS v4.0: AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
  • References: CVE-2026-0895, CWE-502

    • Problem Description

    The extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004. Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension.

    More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004.

    Solution

    Updated versions 0.5.1 and 0.4.3 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/mailqueue/0.4.3/zip
    https://extensions.typo3.org/extension/download/mailqueue/0.5.1/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to TYPO3 security team member Elias Häußler for reporting the vulnerability and for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2915 Tue, 13 Jan 2026 12:04:00 +0100 TYPO3-CORE-SA-2026-004: Insecure Deserialization via Mailer File Spool Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2026-004 It has been discovered that TYPO3 CMS is vulnerable to insecure deserialization.

    Problem Description

    Local platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.

    The vulnerability is triggered when TYPO3 is configured with $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file'; and a scheduler task or cron job runs the command mailer:spool:send. The spool‑send operation performs the insecure deserialization that is at the core of this issue.

    Solution

    Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

    Credits

    Thanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2914 Tue, 13 Jan 2026 12:03:00 +0100 TYPO3-CORE-SA-2026-003: Broken Access Control in Recycler Module Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2026-003 It has been discovered that TYPO3 CMS is susceptible to broken access control.

    Problem Description

    Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable.

    Solution

    Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

    Credits

    Thanks to Sven Jürgens and Daniel Windloff for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2913 Tue, 13 Jan 2026 12:02:00 +0100 TYPO3-CORE-SA-2026-002: Broken Access Control in Redirects Module Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2026-002 It has been discovered that TYPO3 CMS is susceptible to broken access control.

    Problem Description

    Backend users with access to the redirects module and write permission on the sys_redirect table were able to  read, create, and modify any redirect record - without restriction to the user’s own file‑mounts or web‑mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks.

    Solution

    Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

    Credits

    Thanks to Georg Dümmler for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2912 Tue, 13 Jan 2026 12:01:00 +0100 TYPO3-CORE-SA-2026-001: Broken Access Control in Edit Document Controller Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2026-001 It has been discovered that TYPO3 CMS is susceptible to broken access control.

    Problem Description

    By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields.

    Solution

    Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.

    Credits

    Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2911 Wed, 17 Dec 2025 10:00:00 +0100 TYPO3-EXT-SA-2025-016: Vulnerability in bundled package in extension "Single Sign-on with SAML" (md_saml) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2025-016 It has been discovered that the extension "Single Sign-on with SAML" (md_saml) bundles a vulnerable version of “onelogin/php-saml“ which is susceptible to Authentication Bypass.
  • Release Date: December 17, 2025
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Single Sign-on with SAML" (md_saml)
  • Composer Package Name: mediadreams/md_saml
  • Vulnerability Type: Authentication Bypass
  • Affected Versions: 3.0.7 and below, 4.0.0 - 4.0.4
  • Severity: Critical
  • Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2025-66475, CWE-1395

    • Problem Description

    The extension bundles the PHP package “onelogin/php-saml”, which is affected by a Authentication Bypass vulnerability via a Signature Validation Bypass vulnerability in “robrichards/xmlseclibs”.

    Solution

    Updated versions 3.0.8 and 4.0.5 are available from the TYPO3 extension manager, packagist and at

    https://extensions.typo3.org/extension/download/md_saml/3.0.8/zip
    https://extensions.typo3.org/extension/download/md_saml/4.0.5/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Christoph Daecke  for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2908 Wed, 12 Nov 2025 11:31:00 +0100 TYPO3-EXT-SA-2025-015: Broken Authentication in extension "Modules" (modules) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2025-015 It has been discovered that the extension "Modules" (modules) is susceptible to Broken Authentication.
  • Release Date: November 12, 2025
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: “Modules” (modules)
  • Composer Package Name: codingms/modules
  • Vulnerability Type: Broken Authentication
  • Affected Versions: 4.3.10 and below, 5.0.0 - 5.7.3, 6.0.0 - 6.4.1, 7.0.0 - 7.5.4
  • Severity: High
  • Suggested CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2025-12998, CWE-862

    • Problem Description

    The extension provides a feature to login as a frontend user for authenticated backend users by calling a special URL. The implemented access check can however be bypassed, if the extension setting “module.frontendUser.allowNonAdminUsersToLoginAsFrontendUser” is enabled, resulting in an unauthenticated remote user to login as any frontend user.

    Solution

    Updated versions 4.3.11, 5.7.4, 6.4.2 and 7.5.5 are available from the TYPO3 extension manager, packagist and at
    https://extensions.typo3.org/extension/download/modules/4.3.11/zip 
    https://extensions.typo3.org/extension/download/modules/5.7.4/zip 
    https://extensions.typo3.org/extension/download/modules/6.4.2/zip 
    https://extensions.typo3.org/extension/download/modules/7.5.5/zip 

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Thomas Deuling for reporting the vulnerability and  for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2907 Wed, 12 Nov 2025 11:30:00 +0100 TYPO3-EXT-SA-2025-014: Vulnerability in bundled package in extension "Forms Export" (frp_form_answers) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2025-014 It has been discovered that the extension "Forms Export" (frp_form_answers) bundles a vulnerable version of "phpoffice/phpspreadsheet", which is susceptible to Server-Side Request Forgery.
  • Release Date: November 12, 2025
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: “Forms Export” (frp_form_answers)
  • Composer Package Name: frappant/frp-form-answers
  • Vulnerability Type: Server-Side Request Forgery
  • Affected Versions: 5.0.3 and below, 6.0.0 - 6.1.1
  • Severity: High
  • Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2025-54370, CWE-918

    • Problem Description

    The TER extension bundles the PHP package “phpoffice/phpspreadsheet”, which is affected by a Server-Side Request Forgery vulnerability.

    Note: The extension does not bundle the PHP package “phpoffice/phpspreadsheet” anymore. The Excel Export feature does only work, when the extension is installed via composer.

    Solution

    Updated versions 5.0.4 and 6.1.2 are available from the TYPO3 extension manager, packagist and at
    https://extensions.typo3.org/extension/download/frp_form_answers/5.0.4/zip
    https://extensions.typo3.org/extension/download/frp_form_answers/6.1.2/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Mikel Wohlschlegel for reporting the vulnerability and to Jonas Hirschi for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2877 Tue, 16 Sep 2025 10:31:00 +0200 TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2025-013 It has been discovered that the extension "Base Excel" (base_excel) bundles a vulnerable version of “phpoffice/phpspreadsheet“ which is susceptible to Server-Side Request Forgery.
  • Release Date: September 16, 2025
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Base Excel" (base_excel)
  • Composer Package Name: jambagecom/base-excel
  • Vulnerability Type: Server-Side Request Forgery
  • Affected Versions: 4.5.0 and below
  • Severity: High
  • Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  • References: CVE-2025-54370, CWE-918

    • Problem Description

    The TER extension bundles the PHP package “phpoffice/phpspreadsheet”, which is affected by a Server-Side Request Forgery vulnerability.

    Solution

    An updated version 5.1.0 is available from the TYPO3 extension manager, packagist and at
    https://extensions.typo3.org/extension/download/base_excel/5.1.0/zip

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Franz Holzinger  for providing an updated version of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2876 Tue, 16 Sep 2025 10:30:00 +0200 TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) Torben Hansen https://typo3.org/security/advisory/typo3-ext-sa-2025-012 It has been discovered that the extension "Form to Database" (form_to_database) is susceptible to Cross-Site Scripting.
  • Release Date: September 16, 2025
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "Form to Database" (form_to_database)
  • Composer Package Name: lavitto/typo3-form-to-database
  • Vulnerability Type: Cross-Site Scripting
  • Affected Versions: 2.2.4 and below, 3.0.0 - 3.2.1, 4.0.0 - 4.2.2, 5.0.0 - 5.0.1
  • Severity: Low
  • Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • References: CVE-2025-10316CWE-79

    • Problem Description

    The extension fails to properly encode user input for output in HTML context in TYPO3 backend user interface.

    Solution

    Updated versions 2.2.5, 3.2.2, 4.2.3 and 5.0.2 are available from the TYPO3 extension manager, packagist and at
    https://extensions.typo3.org/extension/download/form_to_database/2.2.5/zip  
    https://extensions.typo3.org/extension/download/form_to_database/3.2.2/zip  
    https://extensions.typo3.org/extension/download/form_to_database/4.2.3/zip  
    https://extensions.typo3.org/extension/download/form_to_database/5.0.2/zip    

    Users of the extension are advised to update the extension as soon as possible.

    Credits

    Thanks to Sascha Egerer for reporting the vulnerability and to Liquid Light for providing updated versions of the extension.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    ]]>     Development     news-2873 Tue, 09 Sep 2025 11:07:00 +0200 TYPO3-CORE-SA-2025-023: Information Disclosure via CSV Download Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-023 It has been discovered that TYPO3 CMS is susceptible to information disclosure.

    Problem Description

    The CSV download feature in the backend user interface allowed callers to request arbitrary data from the database without performing a permission check on the target table. Consequently, a backend user without rights to a particular database table could retrieve records, leading to information disclosure. This vulnerability was limited to database records that fell within the page tree the user was already permitted to access.

    Solution

    Update to TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    Credits

    Thanks to TYPO3 core & security team member Oliver Hader for reporting the issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2872 Tue, 09 Sep 2025 11:06:00 +0200 TYPO3-CORE-SA-2025-022: Information Disclosure in Workspaces Module Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-022 It has been discovered that TYPO3 CMS is susceptible to information disclosure.

    Problem Description

    In addition to the vulnerability documented in TYPO3‑CORE‑SA‑2025‑021 (CVE‑2025‑59017), any authenticated backend user could invoke a backend AJAX route belonging to the workspaces module.

    The route allowed the caller to request arbitrary data from the database, without performing a permission check on the target table. Consequently, a backend user without rights to a particular database table could retrieve sensitive records, leading to information disclosure.

    Solution

    Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    Credits

    Thanks to TYPO3 core & security team member Oliver Hader for reporting and fixing this issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2871 Tue, 09 Sep 2025 11:05:00 +0200 TYPO3-CORE-SA-2025-021: Broken Access Control in Backend AJAX Routes Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-021 It has been discovered that TYPO3 CMS is susceptible to broken access control.

    Problem Description

    Dedicated AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. As a result, an authenticated backend user could directly call these routes - even if the user had no permissions to the corresponding module.
    This allowed users to read, modify, or delete data directly - effectively bypassing module‑level restrictions.

    Solution

    Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    The AJAX route property inheritAccessFromModule is introduced. When this property is set, a route is explicitly bound to the permissions of a specified backend module.

    In general, developers are advised to always verify authorization on target resources (pages, database tables, files, etc.) within the corresponding AJAX handler or controller. More details are available at https://docs.typo3.org/permalink/t3coreapi:be-user-check.

    Credits

    Thanks to TYPO3 security team member Elias Häußler for reporting and fixing this issue.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2870 Tue, 09 Sep 2025 11:04:00 +0200 TYPO3-CORE-SA-2025-020: Information Disclosure via File Abstraction Layer Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-020 It has been discovered that TYPO3 CMS is susceptible to information disclosure.

    Problem Description

    When specific low‑level file‑system operations fail during execution through the File Abstraction Layer, the full path of the affected resource is disclosed. Exploiting this vulnerability requires a valid backend user account.

    Solution

    Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    Credits

    Thanks to Dmitry Petschke and Marc Willmann for reporting this issue, and to TYPO3 core team member Andreas Kienast for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2869 Tue, 09 Sep 2025 11:03:00 +0200 TYPO3-CORE-SA-2025-019: Insufficient Entropy in Password Generation Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-019 It has been discovered that TYPO3 CMS is susceptible to insufficient entropy.

    Problem Description

    By default, the Password Generation component creates a password that always begins with a deterministic three‑character prefix (lower‑case, upper‑case, digit). Consequently, the effective entropy of the generated passwords is lower than expected. Invocations that employ the random password rules are unaffected.

    Solution

    Update to TYPO3 versions 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    Credits

    Thanks to Mathias Brodala for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2868 Tue, 09 Sep 2025 11:02:00 +0200 TYPO3-CORE-SA-2025-018: Denial of Service in TYPO3 Bookmark Toolbar Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-018 It has been discovered that TYPO3 CMS is susceptible to denial of service.

    Problem Description

    Due to insufficient input validation, manipulated data saved in the bookmark toolbar of the backend user interface causes a general error state, blocking further access to the interface. Exploiting this vulnerability requires an administrator-level backend user account.

    Solution

    Update to TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    Credits

    Thanks to Jakub Świes for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS     news-2867 Tue, 09 Sep 2025 11:01:00 +0200 TYPO3-CORE-SA-2025-017: Open Redirect in TYPO3 CMS Oliver Hader https://typo3.org/security/advisory/typo3-core-sa-2025-017 It has been discovered that TYPO3 CMS is susceptible to open redirect.

    Problem Description

    Applications that use TYPO3\CMS\Core\Utility\GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks.

    Solution

    Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

    Credits

    Thanks to TYPO3 core & security  team member Oliver Hader for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.

    General Advice

    Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

    General Note

    All security-related code changes are tagged so you can easily look them up in our review system.

    ]]>     Development TYPO3 CMS