Skip to main navigation Skip to main content Skip to page footer
TYPO3 14.3.5 Fixes a Security Vulnerability in the Form Framework

TYPO3 14.3.5 Fixes a Security Vulnerability in the Form Framework

Have the article read aloud.

Loading the Elevenlabs Text to Speech AudioNative Player...
| TYPO3 | Estimated reading time : min.
This article was automatically translated using DeepL. Therefore, inaccuracies may occur.

TYPO3 14.3.5 fixes a security vulnerability in the Form Framework that allowed file upload restrictions to be bypassed. According to the TYPO3 Core Team, versions 13.4.33 and the ELTS versions contain only regular bug fixes.

On July 14, 2026, TYPO3 released two new maintenance versions: TYPO3 14.3.5 LTS and TYPO3 13.4.33 LTS. Anyone using TYPO3 14 who has not yet updated to 14.3.5 should do so as soon as possible, as this version patches a security vulnerability in the Form Framework.

The Vulnerability: Unrestricted File Upload in ext:form

The vulnerability is documented as TYPO3-CORE-SA-2026-020 (CVE-2026-15305) and affects only versions 14.2.0 through 14.3.4. The severity is rated as "Medium."

Specifically, the issue involved FileUpload and ImageUpload elements in ext:form, where the allowedMimeTypes property could be configured to restrict file types. However, this restriction was not enforced on the server side: The responsible `MimeTypeValidator` was registered when the form was constructed, before the specific form definitions were applied. As a result, the validator never entered the actual processing pipeline.

As a result, users could upload files with any MIME type, even if only certain types were allowed in the form. However, PHP files could not be uploaded this way. The vulnerability was reported by Sébastien Convers and fixed by Josua Vogel and Oliver Hader.

What This Means for 13.4.33 Users

TYPO3 core developer Oliver Hader clarified this on the TYPO3 Slack channel: The TYPO3 14 release includes the security fix and regular bug fixes; all other current versions, including 13.4.33, provide only regular bug fixes. Users of TYPO3 13.4 with ext:form are therefore not affected by CVE-2026-15305. An update to 13.4.33 is still recommended, however, due to the bug fixes it contains.

ELTS Updates for Older Versions

On the same day, the TYPO3 ELTS team also released versions 10.4.59, 11.5.53, and 12.4.48. All three are officially considered end-of-life: TYPO3 v12.4 since April 30, 2026; TYPO3 v11.5 since October 2024; and TYPO3 v10.4 since April 2023. Anyone still running one of these versions in production will only receive security and maintenance updates through a paid ELTS contract with TYPO3 GmbH. Currently, only TYPO3 14.3.5 and 13.4.33 are supported by free community updates.

Update Notes

No database updates are required for either version. After the update, it is usually sufficient to clear the cache.

Anyone using ext:form with file uploads in production and still running a TYPO3 14 version up to 14.3.4 should not delay updating to 14.3.5. The vulnerability “only” affects the validation of allowed file types—not the execution of code via PHP uploads—but it is still an entry point that should be closed.

Back

Do you have a question or want to discuss the topic?

In the Community Hub for TYPO3 you can exchange ideas with other TYPO3 users. And if you don't want to miss any new articles: The TYPO3 Newsletter comes once a month, without spam.

Wolfgang Wagner

Wolfgang Wagner

TYPO3 Trainer, Integrator und Berater TYPO3 Certified Integrator (TCCI)

Wolfgang Wagner – TYPO3 Seminare und Support · TYPO3 Education and Certification Committee · TCCI Task Force

Wolfgang Wagner arbeitet seit 2006 mit TYPO3 und ist unter wwagner.net als Trainer, Integrator und Berater aktiv. Schwerpunkt sind Schulungen, Online-Kurse und individuelle Beratung für Integratoren, Agenturen und Betreiber von TYPO3-Webseiten, die TYPO3 sauber, modern und wirtschaftlich einsetzen wollen. Er ist Mitglied im TYPO3 Education and Certification Committee und in der TCCI Task Force und gestaltet die offizielle TYPO3 Certified Integrator Prüfung aktiv mit.