ctipilot.ch

TYPO3 Core June 2026 (SA-2026-006) — XSS bypassing HTML Sanitizer; lead CVE of 13-advisory batch (CVE-2026-11607 et al. across SA-006…019)

cve · CVE-2026-47344

Coverage timeline
1
first 2026-06-10 → last 2026-06-10
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
trending_vulns
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-10CTI Daily Brief — 2026-06-10
    trending_vulnsFirst coverage. BSI WID-SEC-2026-1835; DACH public-sector CMS; no ITW.

Where this entity is cited

  • trending_vulns1

Source distribution

  • typo3.org1 (33%)
  • wid.cert-bund.de1 (33%)
  • security-hub.ncsc.admin.ch1 (33%)

External references

NVD · cve.org · CISA KEV

All cited sources (3)

Items in briefs about TYPO3 Core June 2026 (SA-2026-006) — XSS bypassing HTML Sanitizer; lead CVE of 13-advisory batch (CVE-2026-11607 et al. across SA-006…019) (1)

CVE-2026-47344 et al. — TYPO3 core June release: 13 CVEs across every supported branch (10.4 ELTS → 14.3 LTS)

From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →

TYPO3 published 13 advisories on 8 June (TYPO3-CORE-SA-2026-006 onward) covering XSS bypassing the HTML Sanitizer, authenticated RCE, privilege escalation, open redirect and other security-restriction bypasses, fixed in 10.4.57/11.5.51/12.4.46 ELTS, 13.4.31 LTS and 14.3.3 LTS (TYPO3, 2026-06-08). BSI CERT-Bund catalogued the batch as WID-SEC-2026-1835 (HIGH) (BSI CERT-Bund, 2026-06-09). TYPO3 is the dominant CMS for German-speaking public-sector web estates (federal ministries, cantonal/municipal portals, universities across DACH), and the version span means essentially every production install carries at least one of these CVEs. No active exploitation reported; the higher-impact vectors require authentication. ELTS-branch operators need a subscription for fixes — those without one should accelerate migration to 13.4 LTS / 14.3 LTS.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-10520 Ivanti Sentry (MICS API) 10.0 n/a No No (public PoC) R10.5.2/R10.6.2/R10.7.1 watchTowr
CVE-2026-47291 Windows HTTP.sys (IIS/WinRM) 9.8 n/a No No ("More Likely") June 2026 Patch Tuesday MSRC
CVE-2026-44815 Windows DHCP Client 9.8 n/a No No June 2026 Patch Tuesday Tenable
CVE-2026-44748 SAP NetWeaver AS ABAP (SAML) 9.9 n/a No No SAP June Patch Day Onapsis
CVE-2026-27671 SAP NetWeaver/ABAP (RFC kernel) 9.8 n/a No No SAP Note 3717897 Onapsis
CVE-2026-47895 strongSwan libstrongswan n/a n/a No No strongSwan 6.0.7 strongSwan.html)
CVE-2026-44963 Veeam Backup & Replication 12.x 9.4 n/a No No 12.3.2.4854 Veeam
CVE-2026-11645 Chrome / Chromium V8 8.8 n/a Yes Yes Chrome 149.0.7827.103 Chrome
CVE-2026-7473 Arista EOS (VXLAN/GRE decap) n/a n/a Yes Yes Per Arista SA-0137 Arista
CVE-2026-47344 TYPO3 Core (SA-2026-006) n/a n/a No No 13.4.31 / 14.3.3 TYPO3