IA Squad
SearchPT
php · typo3/cms-coreHeads-up

typo3/cms-core: Path Allowance Check Bypass in GeneralUtility::isAllowedAbsPath()

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.

13 Jun 2026Read 1 minSeverity: schedule it

What changed

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html.

Who it affects

Administrator users with access to the File Abstraction Layer who can create new file storage definitions pointing to directories outside the project root.

What to do today

Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS that fix the problem.

The trail
Collected Audited Written Published
Source
GitHub Advisory · typo3/cms-core

More on typo3/cms-core

php · grumpydictator/firefly-iii

Firefly III Stored XSS in Piggy Bank Names via Audit Logs

php · typo3/html-sanitizer

typo3/html-sanitizer: Whitespace-variant closing tags bypass sanitization when ALLOW_INSECURE_RAW_TEXT is enabled