{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4202", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "state": "PUBLISHED", "assignerShortName": "TYPO3", "dateReserved": "2026-03-15T10:57:58.870Z", "datePublished": "2026-03-17T08:33:40.968Z", "dateUpdated": "2026-03-17T13:17:40.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-03-17T08:33:40.968Z"}, "title": "Broken Access Control in extension \"Redirect Tab\"", "datePublic": "2026-03-17T09:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862", "type": "CWE"}, {"lang": "en", "cweId": "CWE-200", "description": "CWE-200", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "TYPO3", "product": "Extension \"Redirect Tabs\"", "collectionURL": "https://packagist.org/", "packageName": "ayacoo/redirect-tab", "repo": "https://github.com/ayacoo/redirect_tab", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.5", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.1.7", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "2.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.</span>"}]}], "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-006", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Guido Schmechel", "type": "reporter"}, {"lang": "en", "value": "Guido Schmechel", "type": "remediation developer"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:17:25.795221Z", "id": "CVE-2026-4202", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:17:40.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:17:25.795221Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:17:36.102Z"}}], "cna": {"title": "Broken Access Control in extension \"Redirect Tab\"", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Guido Schmechel"}, {"lang": "en", "type": "remediation developer", "value": "Guido Schmechel"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/ayacoo/redirect_tab", "vendor": "TYPO3", "product": "Extension \"Redirect Tabs\"", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.5", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.1.7", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "2.1.2", "versionType": "semver"}], "packageName": "ayacoo/redirect-tab", "collectionURL": "https://packagist.org/", "defaultStatus": "unaffected"}], "datePublic": "2026-03-17T09:00:00.000Z", "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-006", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.", "supportingMedia": [{"type": "text/html", "value": "<span>The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862"}, {"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200"}]}], "providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-03-17T08:33:40.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4202", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:17:40.134Z", "dateReserved": "2026-03-15T10:57:58.870Z", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "datePublished": "2026-03-17T08:33:40.968Z", "assignerShortName": "TYPO3"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ayacoo:redirect_tab:*:*:*:*:*:typo3:*:*", "matchCriteriaId": "18F638CD-0023-4EC8-88DD-4AA9E0B7351E", "versionEndExcluding": "2.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ayacoo:redirect_tab:*:*:*:*:*:typo3:*:*", "matchCriteriaId": "1A235DBB-AEC7-4400-A86D-CB570E9C5BEC", "versionEndExcluding": "3.1.7", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ayacoo:redirect_tab:*:*:*:*:*:typo3:*:*", "matchCriteriaId": "755731AD-E113-4151-8B50-A02E475290CC", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page."}, {"lang": "es", "value": "La extensi\u00f3n falla al verificar si un usuario autenticado tiene permisos para acceder a las redirecciones, resultando en la exposici\u00f3n de registros de redirecci\u00f3n al editar una p\u00e1gina."}], "id": "CVE-2026-4202", "lastModified": "2026-04-25T18:40:02.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}, "published": "2026-03-17T09:16:14.627", "references": [{"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "tags": ["Vendor Advisory"], "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-006"}], "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-862"}], "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.1.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Extension \"Redirect Tabs\"", "source": "cna", "vendor": "TYPO3"}, "product": "extension_\"redirect_tabs\"", "vendor": "typo3"}], "analysis": {"en": {"generated_at": "2026-03-17T10:51:22.928972+00:00", "value": {"mitigation_remediation": ["Check the vendor advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-006 for an available patch or upgrade to a version that fixes the access control issue.", "If no patch is available, disable the 'Redirect Tabs' extension in the TYPO3 backend to prevent unauthorized exposure of redirect records.", "Review backend user permissions to ensure only authorized users can edit pages and view redirect data, and consider tightening role-based access controls."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The vulnerability affects TYPO3 installations that have the 'Redirect Tabs' extension enabled. No specific version numbers are listed in the advisory, so any deployment with the extension present and not patched may be susceptible.", "description_and_impact": "The 'Redirect Tabs' extension for TYPO3 fails to verify whether an authenticated user has permission to access redirect records. As a result, when editing a page, the user can view redirect records that they should not be able to see. This constitutes an information disclosure vulnerability, limited to users who can authenticate to the TYPO3 backend and who have access to edit pages. The primary impact is confidentiality loss: sensitive redirect data may be exposed to unauthorized internal users.", "risk_and_exploitability": "The CVSS score is 2.3, indicating a low severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting it is not widely exploited. The likely attack vector is local; an attacker must first authenticate to the TYPO3 backend to edit a page and then trigger the exposure. This requires possessing valid credentials and edit access, which limits the exploitation to insiders or compromised accounts."}}}}, "created": "2026-03-18T12:13:33.546828+00:00", "updated": "2026-03-24T10:49:29.102430+00:00", "vendors": ["typo3", "typo3$PRODUCT$extension_\"redirect_tabs\""]}