CVE-2025-7899: Powermail extension for TYPO3 allows Insecure Direct Object Reference

July 22, 2025

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.

References

github.com/advisories/GHSA-x769-3cwv-f8hc
github.com/in2code-de/powermail
github.com/in2code-de/powermail/commit/b39e129c5e2a797f0ccf271fea220c7933ca77bc
nvd.nist.gov/vuln/detail/CVE-2025-7899
typo3.org/security/advisory/typo3-ext-sa-2025-009

Code Behaviors & Features

Detect and mitigate CVE-2025-7899 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →