TYPO3 14.3.5 Fixes a Security Vulnerability in the Form Framework
Have the article read aloud.
TYPO3 14.3.5 fixes a security vulnerability in the Form Framework that allowed file upload restrictions to be bypassed. According to the TYPO3 Core Team, versions 13.4.33 and the ELTS versions contain only regular bug fixes.
On July 14, 2026, TYPO3 released two new maintenance versions: TYPO3 14.3.5 LTS and TYPO3 13.4.33 LTS. Anyone using TYPO3 14 who has not yet updated to 14.3.5 should do so as soon as possible, as this version patches a security vulnerability in the Form Framework.
The Vulnerability: Unrestricted File Upload in ext:form
The vulnerability is documented as TYPO3-CORE-SA-2026-020 (CVE-2026-15305) and affects only versions 14.2.0 through 14.3.4. The severity is rated as "Medium."
Specifically, the issue involved FileUpload and ImageUpload elements in ext:form, where the allowedMimeTypes property could be configured to restrict file types. However, this restriction was not enforced on the server side: The responsible `MimeTypeValidator` was registered when the form was constructed, before the specific form definitions were applied. As a result, the validator never entered the actual processing pipeline.
As a result, users could upload files with any MIME type, even if only certain types were allowed in the form. However, PHP files could not be uploaded this way. The vulnerability was reported by Sébastien Convers and fixed by Josua Vogel and Oliver Hader.
What This Means for 13.4.33 Users
TYPO3 core developer Oliver Hader clarified this on the TYPO3 Slack channel: The TYPO3 14 release includes the security fix and regular bug fixes; all other current versions, including 13.4.33, provide only regular bug fixes. Users of TYPO3 13.4 with ext:form are therefore not affected by CVE-2026-15305. An update to 13.4.33 is still recommended, however, due to the bug fixes it contains.
ELTS Updates for Older Versions
On the same day, the TYPO3 ELTS team also released versions 10.4.59, 11.5.53, and 12.4.48. All three are officially considered end-of-life: TYPO3 v12.4 since April 30, 2026; TYPO3 v11.5 since October 2024; and TYPO3 v10.4 since April 2023. Anyone still running one of these versions in production will only receive security and maintenance updates through a paid ELTS contract with TYPO3 GmbH. Currently, only TYPO3 14.3.5 and 13.4.33 are supported by free community updates.
Update Notes
No database updates are required for either version. After the update, it is usually sufficient to clear the cache.
Anyone using ext:form with file uploads in production and still running a TYPO3 14 version up to 14.3.4 should not delay updating to 14.3.5. The vulnerability “only” affects the validation of allowed file types—not the execution of code via PHP uploads—but it is still an entry point that should be closed.
BackDo you have a question or want to discuss the topic?
In the Community Hub for TYPO3 you can exchange ideas with other TYPO3 users. And if you don't want to miss any new articles: The TYPO3 Newsletter comes once a month, without spam.