Skip to content

[GHSA-22q7-cg4r-p9mx] TYPO3 Cross-Site Scripting in Fluid ViewHelpers#8011

Open
RainSignal wants to merge 1 commit into
RainSignal/advisory-improvement-8011from
RainSignal-GHSA-22q7-cg4r-p9mx
Open

[GHSA-22q7-cg4r-p9mx] TYPO3 Cross-Site Scripting in Fluid ViewHelpers#8011
RainSignal wants to merge 1 commit into
RainSignal/advisory-improvement-8011from
RainSignal-GHSA-22q7-cg4r-p9mx

Conversation

@RainSignal

@RainSignal RainSignal commented Jun 11, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • References
  • Source code location

Comments
The affected package is incorrectly listed as typo3/cms-core.
The vulnerability exists in typo3/cms-fluid, specifically in three
ViewHelpers: HtmlentitiesViewHelper, StripTagsViewHelper, and
UrlencodeViewHelper. These ViewHelpers failed to encode objects
implementing __toString() before output, and HtmlentitiesViewHelper
used ENT_COMPAT instead of ENT_QUOTES, leaving single quotes unencoded.

This was verified by reviewing the security commit in the
TYPO3-CMS/fluid repository:
TYPO3-CMS/fluid@v8.7.22...v8.7.23
TYPO3-CMS/fluid@v9.5.3...v9.5.4

typo3/cms-core and typo3/cms-fluid are independent Composer packages.
Listing cms-core as affected may mislead users into upgrading the wrong
package.

Copilot stopped work on behalf of RainSignal due to an error June 11, 2026 14:31
Actor has insufficient permissions
@github-actions github-actions Bot changed the base branch from main to RainSignal/advisory-improvement-8011 June 11, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RainSignal