Update priority: TYPO3 site owners should review the June 9, 2026 core advisories for CVE-2026-49741 and CVE-2026-49740 if they run TYPO3 10, 11, 12, 13, or 14, especially sites with delegated backend editors, custom forms, or shared hosting support workflows.
The higher-risk item is CVE-2026-49741, tracked by TYPO3 as TYPO3-CORE-SA-2026-017. TYPO3 rates it high severity and says affected TYPO3 14 installations should update to 14.3.3 LTS. The related CVE-2026-49740, tracked as TYPO3-CORE-SA-2026-018, affects multiple supported and ELTS branches and is fixed in 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, and 14.3.3 LTS.
Who Should Check This Now
- Agencies and hosting teams maintaining TYPO3 customer sites.
- Sites using TYPO3 Form Framework or allowing backend users to manage forms.
- TYPO3 14 sites below 14.3.3 LTS.
- TYPO3 10, 11, 12, or 13 sites that depend on ELTS/LTS patch windows.
- Support desks that need to separate patching from custom-extension troubleshooting.
Safe Patch Checklist
- Record the current TYPO3 branch, Composer/package state, PHP version, database version, web server, cache layer, and active extensions.
- Confirm a restorable database and file backup before changing TYPO3 core, extensions, PHP, Composer packages, or deployment artifacts.
- Identify whether Form Framework is installed and whether backend users outside the core admin team can manage forms or related records.
- Schedule the update to the fixed TYPO3 version for your branch. For TYPO3 14, use 14.3.3 LTS or later.
- Apply the update through the site’s normal deployment path, then clear TYPO3 caches and any external page, CDN, or proxy cache.
- Verify backend login, form editing, form submission, frontend rendering, scheduler tasks, email delivery, file uploads, redirects, and any custom integrations.
- Review backend user permissions after the update. Remove broad form or table write permissions that are no longer needed.
- Keep the rollback point until public pages, admin workflows, forms, and logs stay clean after normal traffic resumes.
Hosting Support Notes
For managed TYPO3 customers, treat this as a normal maintenance ticket with security priority. The minimum ticket record should include the affected branch, fixed version, backup timestamp, update timestamp, cache purge status, form workflow test, frontend smoke test, and any backend-permission follow-up.
If the site is not ready for the fixed branch, document the blocker instead of leaving the advisory untracked. Common blockers include unsupported PHP, pinned Composer constraints, abandoned extensions, or custom form integrations that need a staging pass.
Related FixItPhill Guides
- TYPO3 CVE-2026-11607: Patch Form Framework Access Control
- WordPress support hub
- How to move DNS without breaking email
- How to check backups and restore points
Source-backed References
- TYPO3-CORE-SA-2026-017: CVE-2026-49741
- TYPO3-CORE-SA-2026-018: CVE-2026-49740
- TYPO3 security advisories
FixItPhill support stance: backup first, patch to the fixed TYPO3 branch, verify forms and backend permissions, and keep the support record focused on remediation rather than low-level abuse details.
