Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
PUBLISHED5.2CWE-351
TYPO3 CMS - Unrestricted File Upload in Form Framework
Problem type
Affected products
TYPO3
TYPO3 CMS
< 14.3.5 - AFFECTED
References
GitHub Security Advisories
GHSA-p8pr-442q-qf8g
Users were able to upload files with arbitrary MIME types to forms using FileUpload or...
https://github.com/advisories/GHSA-p8pr-442q-qf8gUsers were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-15305Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-15305",
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"dateUpdated": "2026-07-14T13:26:21.743Z",
"dateReserved": "2026-07-09T16:25:43.306Z",
"datePublished": "2026-07-14T12:45:10.996Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3",
"dateUpdated": "2026-07-14T12:45:10.996Z"
},
"title": "TYPO3 CMS - Unrestricted File Upload in Form Framework",
"descriptions": [
{
"lang": "en",
"value": "Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Users were able to upload files with arbitrary MIME types to forms using <code>FileUpload</code> or <code>ImageUpload</code> elements with <code>allowedMimeTypes</code> configured. The restriction was not enforced server-side because the <code>MimeTypeValidator</code> was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5."
}
]
}
],
"affected": [
{
"vendor": "TYPO3",
"product": "TYPO3 CMS",
"collectionURL": "https://packagist.org",
"packageName": "typo3/cms-form",
"modules": [
"Form Framework"
],
"repo": "https://github.com/TYPO3/typo3",
"defaultStatus": "unaffected",
"versions": [
{
"version": "14.2.0",
"status": "affected",
"versionType": "semver",
"lessThan": "14.3.5"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-351 Insufficient Type Distinction",
"cweId": "CWE-351",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://typo3.org/security/advisory/typo3-core-sa-2026-020",
"tags": [
"vendor-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Josua Vogel",
"type": "remediation developer"
},
{
"lang": "en",
"value": "Oliver Hader",
"type": "remediation developer"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-07-14T13:26:21.743Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}