Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://typo3.org/security/advisory/typo3-core-sa-2026-020 |
|
History
Tue, 14 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5. | |
| Title | TYPO3 CMS - Unrestricted File Upload in Form Framework | |
| First Time appeared |
Typo3
Typo3 typo3 |
|
| Weaknesses | CWE-351 | |
| CPEs | cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Typo3
Typo3 typo3 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: TYPO3
Published:
Updated: 2026-07-14T13:26:21.743Z
Reserved: 2026-07-09T16:25:43.306Z
Link: CVE-2026-15305
Updated: 2026-07-14T13:26:18.256Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses