Skip to main navigation Skip to main content Skip to page footer

TYPO3-CORE-SA-2026-020: Unrestricted File Upload in Form Framework

It has been discovered that TYPO3 CMS is susceptible to security misconfiguration.



Problem Description

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured - uploading PHP files was not possible. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline.

Solution

Update to TYPO3 version 14.3.5 LTS that fixes the problem described.

Credits

Thanks to Sébastien Convers for reporting this issue, and to Josua Vogel and Oliver Hader for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.

In this article

Share this article

The Official Newsletter - subscribe now and never miss an update.

Subscribe