CVE-2026-15305
TYPO3 CMS - Unrestricted File Upload in Form Framework
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4.
| CWE | CWE-351 |
| Vendor | typo3 |
| Product | typo3 cms |
| Published | Jul 14, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for typo3 typo3 cms
Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
TYPO3 / TYPO3 CMS
14.2.0 < 14.3.5
References
Credits
Josua Vogel Oliver Hader