CVE-2025-59019: 
PHP vulnerability analysis and mitigation

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them. The vulnerability was disclosed on September 9, 2025, and has been assigned CVE-2025-59019 (NVD).

The vulnerability is classified as an Information Disclosure issue (CWE-200) affecting the CSV download functionality in TYPO3 CMS. The vulnerability has received a CVSS v4.0 Base Score of 5.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The issue stems from insufficient authorization checks when accessing database tables through the CSV download feature (TYPO3 Advisory).

The vulnerability allows authenticated backend users to access and download information from database tables that they should not have permission to view. This could lead to unauthorized access to sensitive data stored within the system's web mounts (AttackerKB).

Users should update to the patched versions: TYPO3 11.5.48 ELTS, 12.4.37 LTS, or 13.4.18 LTS which contain fixes for this vulnerability (TYPO3 Advisory).