CVE-2026-47347

Description

### Problem Applications that use `GeneralUtility::sanitizeLocalUrl` to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. ### Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. ### Credits TYPO3 CMS thanks Alexandre Romao for reporting this issue, and TYPO3 core & security team member Benjamin Franzke for fixing it. ### Resources * [TYPO3-CORE-SA-2026-009](https://typo3.org/security/advisory/typo3-core-sa-2026-009)

How to fix CVE-2026-47347

To remediate CVE-2026-47347, upgrade the affected package to a fixed version below.

• —upgrade to 10.4.57 or later

Is CVE-2026-47347 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47347.

Affected packages (1)

• from 0, < 10.4.57

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47347
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47347.yaml
• WEBgithub.com/TYPO3/typo3/commit/22c2dd5398ebc4cb7aa4aa37e02cb39181dee0cd