The TYPO3 CMS has been identified with two critical vulnerabilities, CVE-2019-12747 and CVE-2019-12748, which allow for arbitrary PHP code execution on the underlying system as authenticated users, particularly those in the backend section. The first vulnerability occurs when saving any form in the backend section, allowing a malicious user to override database values containing serialized data, leading to a PHP Object Injection that enables remote code execution. The second vulnerability is a Stored Cross-Site Scripting vulnerability in the Site Redirects module, which can be exploited by an unprivileged user with access to this feature. Both vulnerabilities have been reported and addressed in TYPO3 version 9.5.8, highlighting the importance of keeping software up-to-date to prevent exploitation.