๐Ÿ” CVE Alert

CVE-2026-15305

UNKNOWN 0.0

TYPO3 CMS - Unrestricted File Upload in Form Framework

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.4.

CWE CWE-351
Vendor typo3
Product typo3 cms
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for typo3 typo3 cms

Be the first to know when new unknown vulnerabilities affecting typo3 typo3 cms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

TYPO3 / TYPO3 CMS
14.2.0 < 14.3.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
typo3.org: https://typo3.org/security/advisory/typo3-core-sa-2026-020 github.com: https://github.com/TYPO3/typo3/commit/817ad41cc9dd28aac0fc4d0fe16fc25d46dd554a github.com: https://github.com/TYPO3/typo3/commit/cfda21050398eb145211a4fa6f9988f10e43e10b

Credits

Josua Vogel Oliver Hader