Home

Description

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.

PUBLISHED Reserved 2026-07-09 | Published 2026-07-14 | Updated 2026-07-14 | Assigner TYPO3




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-351 Insufficient Type Distinction

Product status

Default status
unaffected

14.2.0 (semver) before 14.3.5
affected

Credits

Josua Vogel remediation developer

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-020 vendor-advisory

cve.org (CVE-2026-15305)

nvd.nist.gov (CVE-2026-15305)

Download JSON