Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47347

CVE-2026-47347: TYPO3 CMS Open Redirect Vulnerability

CVE-2026-47347 is an open redirect vulnerability in TYPO3 CMS affecting GeneralUtility::sanitizeLocalUrl function. Attackers can redirect users to malicious sites for phishing attacks. This article covers technical details and mitigation.

Published:

CVE-2026-47347 Overview

CVE-2026-47347 is an open redirect vulnerability [CWE-601] in TYPO3 CMS affecting the GeneralUtility::sanitizeLocalUrl function. Applications that rely on this function to enforce local-only URLs fail to detect crafted inputs that bypass the sanitization checks. Attackers can supply a URL that passes validation but resolves to an external destination when consumed downstream. This enables redirection of authenticated users to attacker-controlled sites for phishing and credential theft. The flaw affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

Critical Impact

Attackers can redirect TYPO3 users to attacker-controlled external sites through URLs that bypass sanitizeLocalUrl validation, facilitating phishing and credential harvesting.

Affected Products

  • TYPO3 CMS versions prior to 10.4.57
  • TYPO3 CMS 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, and 13.0.0 through 13.4.30
  • TYPO3 CMS 14.0.0 through 14.3.2

Discovery Timeline

  • 2026-06-09 - CVE-2026-47347 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-47347

Vulnerability Analysis

The vulnerability resides in GeneralUtility::sanitizeLocalUrl within typo3/sysext/core/Classes/Utility/GeneralUtility.php. The original implementation rejected URLs only when they contained newline, carriage return, or null bytes (\n, \r, \\x00). This narrow blacklist failed to catch other unexpected characters that web browsers and HTTP parsers interpret differently from the TYPO3 validator. When such a URL passes sanitization and is later used in a redirect response, the browser resolves it to an external host. The attacker only needs an authenticated user to click a crafted link on a trusted TYPO3 domain to be redirected to a phishing endpoint.

Root Cause

The root cause is improper input validation [CWE-601] based on a denylist of forbidden whitespace characters rather than an allowlist of permitted URL characters. The function did not enforce conformance to RFC 3986 URI syntax, allowing characters outside the reserved and unreserved sets to slip through. Downstream consumers of the sanitized URL treat the value as safe and use it in Location headers or client-side navigation.

Attack Vector

Exploitation requires user interaction. An attacker crafts a URL targeting a TYPO3 endpoint that accepts a redirect target parameter validated through sanitizeLocalUrl. The URL appears to be local but contains characters that cause the final HTTP redirect to point externally. The victim, expecting to remain on the trusted TYPO3 host, lands on an attacker-controlled domain mimicking the legitimate site.

php
// Security patch in typo3/sysext/core/Classes/Utility/GeneralUtility.php
// Replaces a narrow denylist with an explicit allowlist of valid URL characters.
{
    $sanitizedUrl = '';
    if (!empty($url)) {
        $validUrlCharacters = [
            // Percent-Encoding: RFC 3986 section 2.1
            '%',
            // Reserved Characters: RFC 3986 section 2.2
            ':', '/', '?', '#', '[', ']', '@',
            '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=',
            // Unreserved Characters: RFC 3986 section 2.3
            '-', '.', '_', '~',
            // ALPHA + DIGIT
            // ... a-z, A-Z, 0-9
        ];

        $hasInvalidCharacters = str_replace($validUrlCharacters, '', $url) !== '';
        if ($hasInvalidCharacters) {
            static::getLogger()->notice(
                'The URL "{url}" contains unexpected characters and was denied as local url.',
                ['url' => $url]
            );
            return '';
        }
    }
}
// Source: https://github.com/TYPO3/typo3/commit/22c2dd5398ebc4cb7aa4aa37e02cb39181dee0cd

Detection Methods for CVE-2026-47347

Indicators of Compromise

  • Web server access logs containing redirect parameter values with non-ASCII or unexpected characters passed to TYPO3 endpoints.
  • TYPO3 application log entries noting URLs denied as local after applying the patched validation.
  • HTTP 302 responses from TYPO3 hosts whose Location header points to an external domain.

Detection Strategies

  • Inspect parameters such as redirect_url, returnUrl, and similar TYPO3 redirect targets for URLs containing characters outside the RFC 3986 set.
  • Correlate outbound redirects from TYPO3 domains against an allowlist of internal hosts to flag external destinations.
  • Review TYPO3 audit logs for repeated invocations of GeneralUtility::sanitizeLocalUrl with anomalous input.

Monitoring Recommendations

  • Centralize TYPO3 application and web server logs in a SIEM and alert on redirect responses targeting unapproved external domains.
  • Track user-reported phishing emails containing links to the organization's TYPO3 hosts for confirmation of in-the-wild abuse.
  • Monitor for spikes in 3xx responses from TYPO3 endpoints handling user-supplied URL parameters.

How to Mitigate CVE-2026-47347

Immediate Actions Required

  • Upgrade TYPO3 CMS to 10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3 as appropriate for your branch.
  • Audit custom extensions that call GeneralUtility::sanitizeLocalUrl and validate that they reject external destinations after sanitization.
  • Review web application firewall rules to block redirect parameters containing characters outside the RFC 3986 reserved and unreserved sets.

Patch Information

The TYPO3 project published the fix in the TYPO3 Security Advisory TYPO3-CORE-SA-2026-009. The code change is available in the upstream commits 22c2dd5 and 3ffc083. The patch replaces the prior whitespace denylist with an explicit allowlist of URL characters drawn from RFC 3986.

Workarounds

  • Restrict redirect targets in custom controllers to a hardcoded allowlist of internal paths instead of accepting user-supplied URLs.
  • Apply WAF signatures that reject query parameters containing characters outside [A-Za-z0-9%:/?#\[\]@!$&'()*+,;=\-._~].
  • Implement an interstitial confirmation page before performing any redirect to a value derived from user input.
bash
# Example WAF rule (ModSecurity) to block suspicious redirect parameters
SecRule ARGS_NAMES "@rx (redirect|returnUrl|return_url|url)" \
    "chain,id:1009347,phase:2,deny,status:403,log,msg:'CVE-2026-47347 suspicious redirect parameter'"
    SecRule ARGS "@rx [^A-Za-z0-9%:/?#\[\]@!\$&'()*+,;=\-._~]" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne